1 / 18

Minimizing Service Loss and Data Theft

Understanding Switch Security Issues. Minimizing Service Loss and Data Theft. Overview of Switch Security. Modularizing Internal Security. Reasons for Internal Security. The enterprise campus is protected by security functions in the enterprise edge:

Download Presentation

Minimizing Service Loss and Data Theft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Understanding Switch Security Issues Minimizing Service Loss and Data Theft

  2. Overview of Switch Security

  3. Modularizing Internal Security

  4. Reasons for Internal Security • The enterprise campus is protected by security functions in the enterprise edge: • If the enterprise edge security fails, the enterprise campus is vulnerable. • The potential attacker can gain physical access to the enterprise campus. • Some network solutions require indirect external access to the enterprise campus. • All vital elements in the enterprise campusmust be protected independently.

  5. Rogue Devices • Rogue network devices can be • Switches • Wireless access points • Hubs • Connected to ports on access switches • Connecting devices such as laptops or printers

  6. Switch Attack Categories • MAC address–based attacks • MAC address flooding • VLAN attacks • VLAN hopping • Spoofing attacks • Spoofing of DHCP, ARP, and MAC addressing • Attacks on switch devices • Cisco Discovery Protocol • Management protocols

  7. MAC Flooding Attack

  8. Port Security Prevents MAC-Based Attacks • PROBLEM: • Script kiddie hacking tools enable attackers to flood switch CAM tables with bogus MACs. • Turns the VLAN into a hub and floods all unicast frames. • Switch CAM table is limited for number of MAC addresses. • SOLUTION: • Port security limits MAC flooding attacks and locks down the port. • Port security sets an SNMP trap. • Allowed frames are forwarded. • New MAC addresses over limit are not allowed. • Switch responds to nonallowed frames.

  9. Configuring Port Security on a Switch • Enable port security. • Set MAC address limit. • Specify allowable MAC addresses (optional). • Define violation actions (shut down / protect / restrict). • Configure address aging (optional). switch(config)# interface fa0/1 switch(config-if)# description Access Port switch(config-if)# switchport mode access switch(config-if)# switchport access vlan 2 switch(config-if)# switchport port-security switch(config-if)# switchport port-security maximum 2 switch(config-if)# switchport port-security mac-address 0000.1111.2222 switch(config-if)# switchport port-security mac-address 0000.1111.3333 switch(config-if)# switchport port-security violation restrict switch(config-if)# switchport port-security aging time 60 switch(config-if)# switchport port-security aging type inactivity

  10. Verifying Port Security switch# show port-security[interface intf-id] [address] switch# show port-security interface fastethernet0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 60 mins Aging Type : Inactivity SecureStatic Address Aging : Enabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 001b.d513.2ad2:5 Security Violation Count : 0

  11. Verifying Port Security (Cont.) switch# show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ------------------------------------------------------------------------ Fa0/1 2 1 0 Restrict ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 switch# show port-security address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 2 001b.d513.2ad2 SecureDynamic Fa0/1 60 (I) ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144

  12. Configuring Sticky MAC Addresses switch(config)# interface fa0/1 switch(config-if)# switchport port-security mac-address sticky switch# show port-security address Secure Mac Address Table ------------------------------------------------------------------------ Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 2 001b.d513.2ad2 SecureSticky Fa0/1 - switch# show running-config fastethernet 0/1 interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation restrict switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d513.2ad2

  13. AAA Network Configuration • Authentication • Verifies a user identify • Authorization • Specifies the permitted tasks for the user • Accounting • Provides billing, auditing, and monitoring

  14. Configuring User AAA Authentication • Enable AAA. • Configure RADIUS server. • Configure authentication methods. • Apply methods to interfaces. sw(config)# username admin password cisco sw(config)# aaa new-model sw(config)# radius-server host 10.1.1.50 auth-port 1812 key xyz123 sw(config)# aaa authentication login default group radius localline sw(config)# aaa authentication login NO_AUTH none sw(config)# Line vty 0 15 sw(config-li)# login authentication default sw(config-li)# password sanfran sw(config-li)# line console 0 sw(config-li)# login authentication NO_AUTH

  15. 802.1X Port-Based Authentication • Network access through switch requires RADIUS authentication.

  16. Configuring 802.1X • Enable AAA. • Configure RADIUS server. • Enable 802.1X globally. • Configure interface for 802.1X. • Define local user authentication. sw(config)# aaa new-model sw(config)# radius-server host 10.1.1.50 auth-port 1812 key xyz123 sw(config)# aaa authentication dot1x default group radius sw(config)# dot1x system-auth-control sw(config)# interface fa0/1 sw(config-if)# description Access Port sw(config-if)# switchport mode access sw(config-if)# dot1x port-control auto

  17. Summary • Layer 2 security measures must be taken as a subset of the overall network security plan. • Rogue devices can allow access to the network and undermine the security. • Switch attacks fall into four main categories. • MAC flooding attacks are launched against Layer 2 access switches and can cause the CAM table to overflow. • Port security can be configured at Layer 2 to block input from devices. • Sticky MAC addresses allow port security to limit access to a specific, dynamically learned MAC address. • AAA can be used for authentication on a multilayer switch. • 802.1x port-based authentication can mitigate risk of rogue devices gaining unauthorized access.

More Related