- Endpoint Security (Endpoint vulnerabilities and protection methods / IronPort, NAC) .
- Layers 2 Security (The vulnerabilities and mitigation techniques of the Layer 2 infrastructure).
- Wireless, VoIP, and SAN security considerations and solutions.
Labs:
Hands-on lab "Securing Layer 2 Switches" - configure the following on a Layer 2 switch: SSH access, storm control for broadcasts, PortFast, BPDU guard, root guard, port security, Switched Port Analyzer, and PVLAN Edge. Learners also verify the configurations, monitor port activity using Wireshark, and analyze a sourced attack.
A Packet Tracer activity:
- Layer 2 Security (secure STP parameters to mitigate STP attacks, enable storm control to prevent broadcast storms, and enable port security to prevent MAC address table overflow attacks)
- Layer 2 VLAN Security (Mgmt VLAN, attach a management PC to the management VLAN, and implement an ACL to prevent outside users from accessing the management VLAN).
Download solutions for labs
1) Endpoint Security
Without a secure LAN, users in an organization may not be able to access the network, which can significantly reduce productivity.
The LAN is made up of network endpoints. An endpoint, or host, is an individual computer system or device that acts as a network client (Servers, laptops, desktops, IP phones, and personal digital assistants (PDAs)).
IPsec is a means of encrypting data between endpoints, such as within a VPN tunnel. To understand how IPsec works, a basic understanding of cryptography is necessary.
The borderless network - primary business resources, including data centers, applications, endpoints, as well as users, all exist outside the traditional business perimeter. (with iPhones, Blackberrys).
Borderless networks - suggests the network does not simply start at one location and end at another location, but instead provides access without physical borders.We have mobile workers, customers with multiple access methods, and cloud services that blur the traditional dividing lines between network applications and functions.
Traditional network security consists of two major components:
- a heavy endpoint protection suite (antivirus, personal firewall, etc.),
- a perimeter-based, network-scanning devices (firewalls, web proxies, and email gateways).
This architecture worked well in a world of high-powered PCs that were mainly on the LAN and behind the firewall. But, in a network of mobile workers using personal devices from a variety of locations, this model does not work. These devices are more varied in type and are portable.
Cisco created the SecureX architecture - how to allow these heterogeneous devices to connect to enterprise resources securely.
Operating systems provide basic security services to applications:
- Trusted code and trusted path
- hash message authentication codes (HMACs) or digital signatures,
Example: Ctrl-Alt-Delete key sequence for Windows OS.
- Privileged context of execution.
- Process memory protection and isolation.
- Access control to resources.
Modern operating systems provide each process with an identity and privileges. Privilege switching is possible during program operation or during a single login session. For example, UNIX uses the suid (set user ID) facility and Windows uses the runas utility.
Attacks to applications can be:
- direct - the attacker fools the application into performing a task with the application's privileges
- indirect - the attacker first compromises another subsystem and attacks the application through the compromised subsystem (privilege escalation).
Cisco Systems provides several components to ensure a robust endpoint security solution. Two primary components of this solution are: IronPort and Cisco NAC.
- Cisco IronPort perimeter security appliances protect enterprises against Internet threats, with a focus on email and web security.
- NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources. With NAC, network security professionals can authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to network access.
IronPort and NAC have some overlap in their functional support of endpoint security. They combine to provide protection of operating system vulnerabilities against both direct and indirect attacks.
IronPort
Cisco Systems acquired IronPort Systems in 2007. IronPort is a leading provider of anti-spam, antivirus, and anti-spyware appliances. IronPort uses SenderBase, the world's largest threat detection database (collects data from more than 100,000 ISPs, universities, and corporations), to help provide preventive and reactive security measures.
IronPort offers different security appliances:
- C-Series - An email security appliance for virus and spam control.
- S-Series - A web security appliance for spyware filtering, URL filtering, and anti-malware. (The IronPort S series of secure web gateway is based on the IronPort e-mail security appliance)
- M-Series - A security management appliance that compliments the email and web security appliances by managing and monitoring an organization's policy settings and audit information.
Spyware has become one of the most significant corporate security issues. More than 80 percent of corporate PCs are infected with spyware, yet less than 10 percent of corporations have deployed perimeter spyware defenses.
Network Admission Control
The purpose of Cisco NAC:
- allow only authorized and compliant systems (whether managed or unmanaged) to access the network,
- enforce network security policy.
NAC helps maintain network stability by providing four important features:
1) authentication and authorization,
2) posture assessment (evaluating an incoming device against the policies of the network). Assessment = evaluation, estimation.
3) quarantining of noncompliant systems,
4) remediation of noncompliant systems.
Cisco NAC products come in two general categories:
- NAC framework - Uses the existing Cisco network infrastructure and third-party software to enforce security policy compliance on all endpoints. The NAC framework is suited for high-performance network environments with diverse endpoints. Different devices in the network, not necessarily one device, can provide the four features of NAC.
- Cisco NAC Appliance = Software module (condenses the four NAC functions into an appliance form.This solution is a natural fit for medium-sized networks requiring a self-contained. The Cisco NAC Appliance is ideal for organizations that need simplified and integrated tracking of operating system and antivirus patches and vulnerability updates. It does not require a Cisco network.). Integrated framework leveraging multiple Cisco and NAC-aware vendor products
The Cisco NAC Appliance can be used to:
- Recognize users, their devices, and their roles in the network
- Evaluate whether machines are compliant with security policies
- Enforce security policies by blocking, isolating, and repairing noncompliant machines
- Provide easy and secure guest access
- Simplify non-authenticating device access
- Audit and report whom is on the network
NAC works in conjunction functions, including authentication, authorization, and accounting (AAA), scanning, and remediation, are performed by other Cisco products, such as a Cisco Secure Access Control Server (ACS), or partner products such as TrendMicro.
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC).
Cisco Secure Access Control products are part of the NAC Appliance-based Cisco TrustSec solution. TrustSec is a core component of the Secure Borderless Networks architecture.
Components:
Cisco NAC Manager (NAM) - the policy and management center for an appliance-based NAC deployment environment (defines role-based user access and endpoint security policies)
Cisco NAC Server (NAS) - assesses and enforces security policy compliance in an appliance-based NAC deployment environment.
Cisco NAC Agent (NAA) - an optional lightweight agent running on an endpoint device. It performs deep inspection of the device's security profile by analyzing registry settings, services, and files.
Cisco NAC Guest Server - manages guest network access, including provisioning, notification, management, and reporting of all guest user accounts and network activities
Cisco NAC Profiler - helps to deploy policy-based access control by providing discovery, profiling, policy-based placement, and post-connection monitoring of all endpoint devices. (dynamic discovery, identification, and monitoring of all network-attached endpoints).
2) Layers 2 Security
VLAN (Virtual Local-Area Network) - Virtual broadcast domain comprising one or more switch ports. VLAN tagging are used for Ethernet frames.
802.1Q - IEEE specification that defines a standard VLAN tagging scheme.
Double tagging (IEEE 802.1 QinQ) 802.1ad
Native VLAN - VLAN that is not associated explicitly to any tag on an 802.1Q link.
ISL (Inter-Switch Link) - Cisco proprietary VLAN tagging format.
DTP (Dynamic Trunking Protocol) - Cisco proprietary protocol to dynamically negotiate trunking parameters (like status and format).
VTP (VLAN Trunking Protocol) - Cisco proprietary protocol to distribute VLAN information within a predefined domain.
STP (Spanning-Tree Protocol) - Bridge protocol defined in the IEEE 802.1D standard.
BPDU (Bridge Protocol Data Unit) - Messages exchanged by switches that run the Spanning Tree Protocol.
Segmenting a LAN can extend the network, reduce congestion, isolate network problems, and improve security.
LAN segment - A section of a local area network that is used by a particular workgroup or department and separated from the rest of the LAN by a bridge, router or switch.
Bridge - network device that works at OSI Layer2 and reduce the amount of traffic on a LAN by dividing it into two segments. Is a two interfaces device that creates 2 collision domain.
Switches are sometimes called "multi-port bridges" for this reason.
errdisable state - it is effectively "shutdown" and no traffic is sent or received on that port. The port LED is set to the color orange and, when you issue the show interfaces command, the port status shows err-disabled. There are various reasons for the interface to go into errdisable. (show errdisable recovery)
>show errdisable recoveryL2 attacks include MAC address spoofing, STP manipulation, MAC address table overflows, LAN storms, and VLAN attacks.
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
rootguard Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Buffer overflow exploits try to overwrite memory on an application.Various tools are available to prevent buffer overflows.
Regarding network security, the Data Link Layer is often the weakest link.
If the Data Link Layer (L2) is hacked, communications are compromised without the other layers being aware of the problem.
MAC address spoofing attacks (fake, changed MAC)
Switches forwards data out specific ports based on the MAC address.
Switches maintain MAC address tables, also known as content-addressable memory (CAM) lookup tables, to track the source MAC addresses associated with each switch port.
The source and destination MAC addresses are not changed throughout the switched domain.
If MAC address is not in the table, the switch forwards the frame out all ports, except for the port on which it was received. When the destination node responds, the switch records the MAC address of the node in the address table from the frame source address field.
MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host.
MAC address table Overflow attacks
The term fabric refers to the integrated circuits and the accompanying machine programming that enables device operation. For example, the switch fabric is responsible for controlling the data paths through the switch.
MAC flooding takes advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch MAC address table is full (the table fills up to the point that no new entries can be accepted). When this occurs, the switch begins to act like a hub (flood all incoming traffic to all ports), because there is no room in the table to learn any legitimate MAC addresses (the attacker can see all of the frames sent from one host to another only within the local VLAN).
If the intruder does not maintain the flood of invalid source MAC addresses, the switch eventually ages out the older MAC address entries from the table and begins to act like a switch again.
Tool - macof (floods a switch with frames containing randomly generated source and destination MAC and IP addresses). As long as macof is left running, the table on the switch remains full.
Both MAC spoofing and MAC address table overflow attacks can be mitigated by configuring port security on the switch. With port security, the administrator can either statically specify the MAC addresses on a particular switch port or allow the switch to dynamically learn a fixed number of MAC addresses for a switch port. To statically specify the MAC addresses is not a manageable solution for a production environment. Allowing the switch to dynamically learn a fixed number of MAC addresses is an administratively scalable solution.
MAC-address mitigation
1) Make this port - access port
Switch(config-if)# switchport mode access
2) Enable port security on this port
Switch(config-if)# switchport port-security
Port-security command syntax
Switch(config-if)# switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]]
| [mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]] [maximum value [vlan {vlan-list| {access | voice}}]]
3) Setup how many MAC could be learned on this port (optional, default=1,max=131)
Switch(config-if)# switchport port-security maximum <value>
4) Setup static secure MAC addresses, stored in the address table, and added to the switch running configuration
Switch(config-if)# switchport port-security mac-address <mac-address>
5) Setup dynamically learn a single MAC address (sticky) and disable the port if a host with any other MAC address is connected
Switch(config-if)# switchport port-security mac-address sticky
6) Setup port-security violation mode
Switch(config-if)# switchport port-security violation {protect | restrict | shutdown | shutdown vlan}
protect - packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. No notification.
restrict - packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. Notified.
shutdown - the interface to immediately become error-disabled and turns off the port LED. Notified (trap, syslog, log).
shutdown vlan - only the VLAN on which the violation occurred is error-disabled (shutdowned).
7) Setup port-security aging time
switchport port-security aging {static | time time| type {absolute | inactivity}}
Static - Enable aging for statically configured secure addresses on this port.
Absolute - The secure addresses on the port are deleted after the specified aging time.
Inactivity - The secure addresses on the port are deleted only if they are inactive for the specified aging time.
8) Troubleshooting commands
show port-security [interface interface-name]
show port-security [interface interface-id] address
(config)# mac address-table notification <- enable the MAC address notification feature on a switch
Use the no switchport port-security violation {protect | restrict} interface configuration command to return the violation mode to the default condition (shutdown mode).
STP Manipulation Attacks
STP is a Layer 2 protocol that ensures a loop-free topology. STP operates by electing a root bridge and building a tree topology from that root. STP allows for redundancy, but at the same time, ensures that only one link is operational at a time and no loops are present.
Network attackers can manipulate STP to conduct an attack by changing the topology of a network. An attacker can make it appear that the attacking host is a root bridge, thereby spoofing the root bridge. All traffic for the immediate switched domain then passes through the rogue root bridge (the attacking system).
The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as the root bridge. If successful, the attacking host becomes the root bridge and sees a variety of frames that otherwise are not accessible.
Mitigation techniques for STP manipulation include enabling PortFast as well as root guard and BPDU guard.
PortFast - causes an interface configured as a Layer 2 access port to transition from the blocking to the forwarding state immediately, bypassing the listening and learning states (connect to a single workstation or server to allow those devices to connect to the network immediately, instead of waiting for STP to converge).
Switch(config)# spanning-tree portfast default <- for all non-trunking ports at onceBPDU Guard - The STP BPDU guard feature allows network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems caused by receiving BPDUs on ports that should not be receiving them.The receipt of unexpected BPDUs might be accidental or part of an unauthorized attempt to add a switch to the network.
Switch(config-if)# spanning-tree portfast <- on an interface
Switch# show running-config interface FastEthernet 0/8 <- show an interface
If a port that is configured with PortFast receives a BPDU, STP can put the port into the disabled state by using BPDU guard.
BPDU guard doesn't stop the port from sending BPDUs
! Globally enables BPDU guard on all ports with PortFast enabledBPDU Filtering - prevents interfaces that are in a PortFast-operational state from sending or receiving BPDUs. The interfaces still send a few BPDUs at link-up before the switch begins to filter outbound BPDUs. If a BPDU is received on a PortFast-enabled interface because it is connected to a switch, the interface loses its PortFast-operational status, and BPDU filtering is disabled.
Switch(config)# spanning-tree portfast bpduguard default
!
Switch# show spanning-tree summary
Root bridge for: VLAN0001, VLAN0004-VLAN1005
VLAN1013-VLAN1499, VLAN2001-VLAN4094
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled
Portfast is enabled by default
PortFast BPDU Guard is enabled
Portfast BPDU Filter is disabled by default
Loopguard is disabled by default
UplinkFast is disabled
<output omitted>
! Globally enable BPDU filtering on PortFast-enabled interfacesNote that enabling BPDU filtering on an interface is the same as disabling spanning tree on it and can result in spanning-tree loops.
Switch(config)# spanning-tree portfast bpdufilter default
! Enable at interface level BPDU filtering on any interfaceBPDU filtering is supported with PVST+, rapid PVST+, and MSTP.
Switch(config-if)# spanning-tree bpdufilter enable
Ideally you are going to put this on host (PC, router, Server) port interfaces. It can cause loops. It doesn't process BPDUs.
As per Cisco, BPDU Filtering has priority over BPDU Guard.
Root Guard - limits the switch ports out of which the root bridge can be negotiated.
If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, that port is moved to a root-inconsistent state. This is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
Root guard is best deployed toward ports that connect to switches that should not be the root bridge.
With root guard, if an attacking host sends out spoofed BPDUs in an effort to become the root bridge, the switch, upon receipt of a BPDU, ignores the BPDU and puts the port in a root-inconsistent state. The port recovers as soon as the offending BPDUs cease.
Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.
It is best deployed on ports that connect to other non-root switches. (who will 100% not be root bridges or connected to root bridge)
! Configuring root guard on an interface:
Switch(config-if)#spanning-tree guard root
Switch# show spanning-tree inconsistentports
Configuring the Switch to Automatically Restore Err-Disabled Ports
SW2(config)# errdisable recovery cause bpduguard
!
! err-disabled ports will be brought back up after 30 seconds of no bpdu violations
SW2(config)# errdisable recovery interval 30
!
SW2# show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Enabled
<snip>
Timer interval: 30 seconds
Interfaces that will be enabled at the next timeout:
LAN Storm Attack
A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol stack implementation, mistakes in network configurations, or users issuing a DoS attack can cause a storm.
Remember that switches always forward broadcasts out all ports. Some necessary protocols, such as ARP and DHCP, use broadcasts; therefore, switches must be able to forward broadcast traffic.
Storm control (or traffic suppression) prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on one of the physical interfaces. The switch counts the number of packets of a specified type received within a certain time interval and compares the measurement with a predefined suppression-level threshold.
Storm control then blocks traffic when the rising threshold is reached:
- bandwidth as a percentage of the total available bandwidth,
- packets per second (pps) at which broadcast, multicast, or unicast packets are received.
- bits per second at which broadcast, multicast, or unicast packets are received.
- packets per second and for small frames. This feature is enabled globally. The threshold for small frames is configured for each interface.
The port remains blocked until the traffic rate drops below the falling threshold if one is specified, and then resumes normal forwarding.
Switch(config)# storm-control {{broadcast | multicast | unicast} level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}} | {action {shutdown | trap}}The trap and shutdown options are independent of each other.
! Examples
Switch(config)# storm-control broadcast level 75.5
Switch(config)# storm-control multicast level pps 2k 1k
Switch(config)# storm-controlaction shutdown
!
show storm-control [interface] [{broadcast | multicast | unicast | history}]
This command displays storm control suppression levels set on all interfaces, or the specified interface, for the specified traffic type.
If no traffic type is specified, the default is broadcast traffic.
If the trap action is configured, the switch will send an SNMP log message when a storm occurs.
If the shutdown action is configured, the port is error-disabled during a storm, and the no shutdown interface configuration command must be used to bring the interface out of this state.
When the traffic suppression level is specified as a percentage (up to two decimal places) of the total bandwidth, the level can be from 0.00 to 100.00.
A threshold value of 100 percent means that no limit is placed on the specified type of traffic (broadcast, multicast or unicast).
A value of 0.0 means that all traffic of that type on that port is blocked.
VLAN Attacks
* A VLAN is a logical broadcast domain that can span multiple physical LAN segments (switches).
* Each switch port can be assigned to only one VLAN, thereby adding a layer of security.
* Ports in a VLAN share broadcasts; ports in different VLANs do not share broadcasts.
A VLAN hopping attack
It is possible because default automatic trunking configuration on most switches is present.
The network attacker configures a system to spoof itself as a switch.
This spoofing requires that the network attacker be capable of emulating either ISL or 802.1Q signaling along with Cisco-proprietary Dynamic Trunking Protocol (DTP) signaling.
By tricking a switch into thinking it is another switch that needs to trunk, an attacker can gain access to all the VLANs allowed on the trunk port.
A VLAN hopping attack can be launched in one of two ways:
1) Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode.
2) Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim switch from the rogue switch.
The best way to prevent a basic VLAN hopping attack is to turn off trunking on all ports, except the ones that specifically require trunking. On the required trunking ports, disable DTP (auto trunking) negotiations and manually enable trunking.
Ensure that trunking is only enabled on ports that require trunking. Additionally, be sure to disable DTP (auto trunking) negotiations and manually enable trunking.
Double-tagging (or double-encapsulated) VLAN hopping attack
This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q decapsulation; this can allow an attacker in specific situations to embed a hidden 802.1Q tag inside the frame.
This type of attack is unidirectional and works only when the attacker is connected to a port residing in the same VLAN as the native VLAN of the trunk port.
The best approach is to ensure that the native VLAN of the trunk ports is different from the VLAN of the user ports.
In fact, it is considered a security best practice to use a dummy VLAN that is unused throughout the switched LAN as the native VLAN for all 802.1Q trunks in a switched LAN.
Unfortunately, most switches have hardware that is optimized to look for one tag and then to switch the frame. The issue of performance versus security requires administrators to balance their requirements carefully.
Mitigating VLAN hopping attacks that use double 802.1Q encapsulation requires several modifications to the VLAN configuration:
- use a dedicated native VLAN for all trunk ports.
- not using native VLANs for trunk ports anywhere else on the switch.
- disable all unused switch ports and place them in an unused VLAN.
The Dynamic Trunking Protocol (DTP) is a proprietary networking protocol developed by Cisco Systems for the purpose of negotiating trunking on a link between two VLAN-aware switches, and for negotiating the type of trunking encapsulation to be used. It works on the Layer 2 of the OSI model. VLAN trunks formed using DTP may utilize either IEEE 802.1Q or Cisco ISL trunking protocols.
The default native VLAN is VLAN 1.
Switch(config-if)# switchport mode trunkCisco Switched Port Analyzer (SPAN)
Switch(config-if)# switchport nonegotiate <- prevent the generation of DTP frames
Switch(config-if)# switchport trunk native vlan <vlan_number> <- Sets the native VLAN on the trunk to an unused VLAN
- A SPAN port mirrors traffic to another port where a monitoring device is connected.
- Without this, it can be difficult to track hackers after they have entered the network.
Switch(config)# monitor session 1 source interface gigabitethernet0/1
Switch(config)# monitor session 1 destination interface gigabitethernet0/2 encapsulation replicate
!
! Capture of received and transmitted traffic for VLANs 10 and 20, respectively.
Switch(config)# monitor session 1 source vlan 10 rx
Switch(config)# monitor session 1 source vlan 20 tx
Switch(config)# monitor session 1 destination interface FastEthernet 3/4
# show monitor session <session-number>
PVLANs (Private VLANs)
PVLANs provide layer 2 isolation between ports within the same broadcast domain.
There are three types of PVLAN ports:
- Promiscuous — A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
- Isolated — An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
- Community — Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.
Community PVLAN – Hosts can communicate with other hosts in a secondary vlan and with the primary vlan but not with hosts in other secondary VLANs.
Isolated PVLAN – Hosts can communicate with the primary vlan but no other host in the and secondary vlan.
Private VLAN - different VLANs normally map to different IP subnets. When we split a VLAN using PVLANs, hosts in different PVLANs still belong to the same IP subnet, yet now they need to use a router (L3 device) to talk to each other (for example, by using Local Proxy ARP). In turn, the router may either permit or forbid communications between sub-VLANs using access-lists. Commonly, these configurations arise in “shared” environments, say ISP co-location, where it’s beneficial to put multiple customers into the same IP subnet, yet provide a good level of isolation between them.
VTP must be in transparent mode to create private VLANs.
(config) # vlan 200
(config-vlan) # private-vlan <isolated / community>
PVLAN Edge
Private VLAN (PVLAN) Edge feature, also known as protected ports, ensures that there is no exchange of unicast, broadcast, or multicast traffic between ports on the same switch.
The PVLAN Edge feature has the following characteristics:
- A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic is forwarded because these packets are processed by the CPU and forwarded in software.
All data traffic passing between protected ports must be forwarded through a Layer 3 device.
- Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
- The default is to have no protected ports defined.
# switchport protectedVLAN 1
By default, all switch ports are part of VLAN 1.
VLAN 1 is simply VLAN just like any other. However, when using 802.1q, control traffic (VTP, CDP, STP) is sent untagged. Untagged frames are also called “native”.
All untagged traffic on trunks belongs to native VLAN… except for those control frames which don’t.
Control frames don’t really belong to any VLAN per-se – they belong to the switch, regardless of the VLAN they are received on. This is why traffic like VTP and CDP makes it through.
By default, Catalyst switches operate in PVST+ spanning-tree mode. In this mode, there is a separate instance of spanning-tree for each VLAN.
As a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.(source)
prune [pruːn] = eliminate, exclude
L2 security recommandations (Best Practices):
- Manage switches in a secure manner (i.e., SSH, out-of-band management, ACLs, etc.).
- Use CDP only where necessary.
- Use port security where possible for access ports.
- Set all user ports to non-trunking ports (unless you are using Cisco VoIP).
- Configure PortFast on all non-trunking ports.
- Configure root guard on STP root ports.
- Configure BPDU guard on all non-trunking ports.
- Configure PVLAN Edge where necessary.
- Always use a dedicated, unused VLAN ID for the native VLAN.
- Use deterministic VLAN instead of the default VLAN 1.
- VLAN 1 should not be used (Cisco recommended practice for Layer 2 security, Exam question)
- Disable all unused ports and put them in an unused VLAN.
- Manually configure all trunk ports and disable DTP on trunk ports.
- Configure all non-trunking ports with switchport mode access.
- Limit the number of MAC addresses learned on a given port with the 'port security' feature.
3) Wireless, VoIP, SAN Security
WLAN - WirelessLAN
Wireless LANs rely on radio frequency (RF) technology. RF technology has existed since the late nineteenth century.
VoIP - Voice over IP
VoIP technology became commercially available in the 1990s.
SAN - Storage area networks
SAN technology did not formally enter the market until the early 2000s. The approach here follows the historical order.
Wireless security
WLC - Cisco WLAN Controller and Cisco ISRs with Cisco WLAN Controller Module (WLCM) - can manage several WLAN APs (Access Points) and simplifies the deployment and management of WLAN.
The lightweight AP-wireless controller solution has several benefits that were not previously available, such as rogue AP detection and location.
Cisco WLCs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, QoS, and mobility. These functions work in conjunction with APs and the Cisco Wireless Control System (WCS) to support wireless applications.
Cisco WLCs smoothly integrate into existing enterprise networks. They communicate with lightweight APs over any Layer 2 or Layer 3 infrastructure using the Lightweight Access Point Protocol (LWAPP).
Cisco WLCs support IEEE 802.11a/b/g and the 802.11n standards, organizations can deploy the solution that best meets their individual requirements.
WCS (Cisco Wireless Control System) - platform for management 802.11a/b/g/n. Deploy, monitor, troubleshoot, report and outdoor WLANs.
WISM (Cisco Catalyst 6500/7600 Wireless Services Module) - Cisco WLAN controller which works with Cisco Aironet APs and WCS (WLAN Controller System) - to support critical wireless data, voice and video
The most popular form of wireless hacking is called war driving, where a hacker attempts to gain access to wireless networks on their laptop while driving around a metropolitan or suburban area.
It is never safe to connect to an open wireless network, especially in a public area, unless the connection is followed by an encrypted VPN connection to another network.
Wireless hackers have an array of tools:
- Network Stumbler software finds wireless networks.
- Kismet software displays wireless networks that do not broadcast their SSIDs.
- AirSnort software sniffs and cracks WEP keys.
- CoWPAtty cracks WPA-PSK (WPA1).
- ASLEAP gathers authentication data.
- Wireshark can scan wireless Ethernet data and 802.11 SSIDs.
WPA (IEEE 802.11i) and WPA2 (aka IEEE 802.11i-2004)
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed to secure wireless computer networks.
- TKIP (Temporal Key Integrity Protocol) is an encryption method. TKIP provides per-packet key mixing a message integrity and re-keying mechanism.
- AES (short for Advanced Encryption Standard) is the Wi-Fi® authorized strong encryption standard.
WPA-Personal = WPA-PSK and (TKIP or AES) that use a Pre-Shared Key (PSK) of 8 to 63 characters in length. WPA-PSK is designed for home and small office networks that don't require the complexity
WPA-Enterprise = WPA-802.1X mode - is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). An Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors.
"The choice between TKIP (Temporal Key Integrity Protocol) and AES (Advanced Encryption Standard) is a choice between old and new technologies, respectively. So the short answer to your question is that AES is more secure."
WEP
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks (have numerous flaws and has been deprecated in favor of newer standards such as WPA2).
Brute force time to break encryption:
WEP < 10 minutes
WPA - 21 character password > 4x1020 years
WPA2 - more ...
The network administrator should keep several security considerations in mind:
- Wireless networks using WEP or WPA/TKIP are not very secure and are vulnerable to hacking attacks.
- Wireless networks using WPA2/AES should have a pass phrase of at least 21 characters.
- If an IPsec VPN is available, use it on any public wireless LAN.
- If wireless access is not needed, disable the wireless radio or wireless NIC.
VOIP security
VoIP is the transmission of voice traffic over IP-based networks.
IP was originally designed for data networking, but its success in data networking has led to its adaptation to voice traffic.
VoIP has become popular largely because of the cost savings over traditional telephone networks. Using the Internet connection for both data traffic and voice calls allows consumers to reduce their monthly phone bill. For international calls, the monetary savings can be enormous.
VoIP has a number of business advantages:
- Lower telecom call costs are significant. VoIP service providers charge up to 50 percent less for phone connectivity service than traditional phone companies.
- Productivity increases with VoIP phone service can be substantial (additional services)
- Move, add, and change costs are much lower. VoIP flexibility enables easily moving a phone between workstations.
- Ongoing service and maintenance costs can be lower.
- Many VoIP systems require little or no training for users.
- Mobile phone charges decrease as employees make calls via their laptop instead of their mobile phone. These network calls are part of the network charges and cost only the amount of the Internet connection itself.
- Telecommuting phone costs are decreased and there are no major setup fees. Voice communication takes place over a broadband connection.
- VoIP enables unified messaging. Information systems are integrated.
- Encryption of voice calls is supported.
- Fewer administrative personnel are needed for answering telephones.
There are several threats specific to VoIP networks:
- Unauthorized Access to Voice Resources
- Compromising Network Resources
- Eavesdropping (unauthorized interception of voice packets or RTP media streams)
- DoS Attacks (malicious attacking or overloading of call-processing equipment to deny access to services by legitimate users; DHCP starvation, flooding, and fuzzing)
Directed attacks such as Spam over Internet Telephony (SPIT) - is unsolicited and unwanted bulk messages broadcast over VoIP to the endusers of an enterprise network.
Antispam methods do not block SPIT.
Authenticated TLS stops most SPIT attacks because TLS (Transport Layer Security) endpoints accept packets only from trusted devices.
Two common types of fraud in VoIP networks are vishing and toll fraud:
- Vishing (voice phishing) uses telephony to glean (gather) information, such as account details directly from users. Victims first received an email pretending to come from PayPal asking them to verify their credit card details over the phone. (Users still trust the telephone more than the web, but these spamming techniques can undermine user confidence in VoIP.)
- Toll Fraud is the theft of long-distance telephone service by unauthorized access to a PSTN trunk (an outside line) on a PBX or voice-mail system.
This fraud is not new and PBXs have always been vulnerable. The difference is that few people could hack into PBXs, compared to the numbers of people actively breaking into IP systems.
- SIP (Session Initiation Protocol) Vulnerabilities - SIP is a signaling protocol widely used for controlling communication sessions such as VoIP sessions. Some of its characteristics also leave it vulnerable to hackers, such as using text for encoding and SIP extensions that can create security holes:
* Registration hijacking – Allows a hacker to intercept incoming calls and reroute them.
* Message tampering – Allows a hacker to modify data packets traveling between SIP addresses.
* Session tear-down – Allows a hacker to terminate calls or carry out VoIP-targeted DoS attacks.
VoIP security solutions
* Creates a separate broadcast domain for voice traffic.
Understanding and establishing broadcast domains is one of the fundamental concepts in designing secure IP networks. Many simple yet dangerous attacks can be launched if the attacking device resides within the same broadcast domain as the target system. For this reason, IP phones, VoIP gateways, and network management workstations should always be on their own subnet, separate from the rest of the data network and from each other.
* Protects against eavesdropping and tampering (altering).
VLANs can segment voice traffic from data traffic, preventing access to the voice VLAN from the data VLAN.
* Renders packet-sniffing tools less effective.
* Makes it easier to implement VACLs (VLAN access control lists) that are specific to voice traffic.
By understanding the protocols that are used between devices in the VoIP network, effective ACLs can be implemented on the voice VLANs. Many of the IP phone attacks can be stopped by using ACLs on the voice VLANs to prevent deviations from these principles.
Cisco ASA inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards. Cisco ASA can also provide these capabilities to help protect voice traffic:
- Ensure SIP, SCCP, H.323, and MGCP requests conform to standards.
- Prevent inappropriate SIP methods from being sent to Cisco Unified Communications Manager.
- Rate limit SIP requests.
- Enforce the policy of calls (whitelist, blacklist, caller/called party, SIP Uniform Resource Identifier).
- Dynamically open ports for Cisco applications.
- Enable only "registered phones" to make calls.
- Enable inspection of encrypted phone calls.
Cisco IOS firewalls also provide many of these secure features.
Recommended Security Practices for VoIP:
- Use IPsec for authentication (VPNs)
- Use IPsec to protect all traffic, not just voice
- Consider SLA with service provider (QoS)
- Terminate on a router inside of a firewall to gain these benefits: Improves performance / Reduces configuration complexity / Provides manageable boundaries.
The newer versions of Cisco Unified Communications Manager disable unnecessary services, disable default usernames, allow only signed images to be installed, and support secure management protocols. (Use signed firmware/ Use signed configuration files/ Disable unnecessary features)
SAN Security
SAN technology enables faster, easier, more reliable access to data.
A SAN is a specialized network that enables fast, reliable access among servers and external storage resources. In a SAN, a storage device is not the exclusive property of any one server. Rather, storage devices are shared among all networked servers as peer resources.
A SAN does not need to be a physically separate network (helps avoid the unacceptable compromise and reduced performance).
SANs in enterprise infrastructures three primary business requirements:
- Money Saving (Reduce capital and operating expenses)
- Prioritizing (Increase agility to support changing business priorities, application requirements, and revenue growth)
- Improve long-distance replication, backup, and recovery to meet regulatory requirements and industry best practices.
As with SAN technology, iSCSI provides for block-level disk access.
iSCSI clients = initiator
iSCSI server = targets
Cisco provides an enterprise-wide approach to deploying scalable, highly available, and more easily administered SANs. These include consolidated Fibre Channel, Fibre Channel over IP (FCIP), Internet Small Computer Systems Interface (iSCSI), Gigabit Ethernet, or optical network.
SCSI (Small Computer System Interface /ˈskʌzi/ ) command protocol is the de facto standard that is used extensively in high-performance storage applications.
Three major SAN transport technologies:
- Fibre Channel - is a high-speed network technology (commonly running at 2-, 4-, 8- and 16-gigabit speeds) primarily used for SAN. It is for host-to-SAN connectivity. Traditionally, SANs have required a separate dedicated infrastructure to interconnect hosts and storage systems. Fibre Channel networks provide a serial transport for the SCSI protocol.
Fibre Channel Protocol (FCP) is a transport protocol (similar to TCP used in IP networks) that predominantly transports SCSI commands over Fibre Channel networks.
- iSCSI - Maps SCSI over TCP/IP (used in the LAN). An iSCSI leverages an investment in existing IP networks to build and extend the SANs.
- FCIP - Popular SAN-to-SAN connectivity model that is often used over the WAN or MAN (metropolitan area network). SAN designers can use the open-standard FCIP protocol to break the distance barrier of current Fibre Channel solutions and enable interconnection of SAN islands over extended distances.
In a block level storage device, raw storage volumes are created, and then the server-based operating system connects to these volumes and uses them as individual hard drives. This makes block level storage usable for almost any kind of application, including file storage, database storage, virtual machine file system (VMFS) volumes, and more. You can place any kind of file system on block level storage. So, if you’re running Windows, your volumes will be formatted with NTFS; VMware servers will use VMFS.
iSCSI over Gigabit Ethernet 125 MB/sAn HBA is an I/O adapter that sits between the bus of the host computer and the Fibre Channel loop and manages the transfer of information between the two channels.
Ultra DMA ATA 133 133 MB/s
Serial ATA (SATA-150) 187.5 MB/s
Fibre Channel 2GFC (2.125 GHz) 212.5 MB/s
Serial Attached SCSI (SAS) 300 MB/s
Ultra-320 SCSI (Ultra4 SCSI) 320 MB/s
iSCSI over 10GbE 1,250 MB/s
In computer storage, a logical unit number (LUN) is a 64-bit address for an individual disk drive and, by extension, the disk device itself.
LUN masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts.
LUN masking is implemented primarily at the host bus adapter (HBA) level. LUN masking that is implemented at this level is vulnerable to any attack that compromises the HBA.
The security benefits of LUN masking are limited because, with many HBAs, it is possible to forge source addresses.
Today, LUNs are normally not individual disk drives but virtual partitions (or volumes) of a Redundant Array of Independent Disks (RAID) set.
A world wide name (WWN) is a 64-bit address that Fibre Channel networks use to uniquely identify each element in a Fibre Channel network. Zoning can utilize WWNs to assign security permissions. Zoning can also use name servers in the switches to either allow or block access to particular WWNs in the fabric.
Zoning is sometimes confused with LUN masking, because both processes have the same objectives.
The difference is that zoning is implemented on fabric switches while LUN masking is performed on endpoint devices.
Fibre Channel fabric zoning has the benefit of securing device access and allowing operating system coexistence. Zoning applies only to the switched fabric topology; it does not exist in simpler Fibre Channel topologies.
A virtual storage area network (VSAN) is a collection of ports from a set of connected Fibre Channel switches that form a virtual fabric. Ports can be partitioned within a single switch into multiple VSANs. Additionally, multiple switches can join any number of ports to form a single VSAN. In this manner, VSANs strongly resemble VLANs. Like VLANs, traffic is tagged as it crosses inter-switch links with the VSAN ID.
VSANs were originally invented by Cisco, but they have now been adopted as an ANSI standard.
There are six critical areas to consider when securing a SAN:
1. SAN management - Secure the management services that are used to administer the SAN.
2. Fabric access - Secure access to the fabric (the hardware that connects servers to storage devices)
3. Target access - Secure access to storage devices (targets) and LUNs.
4. SAN protocols - Secure the protocols that are used in switch-to-switch communication.
5. IP storage - Secure FCIP and iSCSI.
6. Data integrity and secrecy - Encrypt data as it crosses networks as well as when stored on disks.
SAN security concerns to consider:
- Disruption of switch processing - A DoS attack can cause excessive load on the CPU, rendering the CPU unable to react to fabric events.
- Compromise of fabric - Changed configurations or lost configurations can result in changes to the configured services or ports.
- Compromise of data integrity and confidentiality - Breaching the actual data compromises the integrity and confidentiality of stored information.
To prevent these types of issues, use VSANs and zoning.
Zoning is the prime mechanism for securing access to SAN targets (disk and tape).
There are two main methods of zoning, hard and soft.
iSCSI (Internet SCSI) leverages many of the security features inherent in Ethernet and IP:
- ACLs are similar to Fibre Channel zones,
- VLANs are similar to Fibre Channel VSANs,
- 802.1X port security is similar to Fibre Channel port security. (802.1X is an IEEE Standard for port-based Network Access Control.)
FCIP (Fibre Channel over IP) security leverages many IP security features in Cisco IOS-based routers:
- IPsec VPN connections through public carriers,
- High-speed encryption services in specialized hardware,
- Can be run through a firewall.