Semester 3 v4'0: Multilayer Switching

1
Semester 3 v4.0Multilayer Switching

• MODULE 7
• Minimising Service Loss and Data Theft in a
  Switched Network

2
A Secure Infrastructure

• Every device in the infrastructure should be
  treated as a security device.
• Security features vary per device
• Firewalls ACLs, advanced application inspection,
  DoS mitigation, stateful failover
• Routers ACLs, application inspection
• Switches ACLs
• Smaller feature set doesnt mean switches are
  insecure

3
Issue MAC Flooding

• Aims to overflow a switchs CAM table by flooding
  it with MAC addresses
• Cisco Catalyst 3750 desktop switch can store up
  to 12,000 MAC addresses
• Cisco Catalyst 6500 chassis switch can store up
  to 96,000-128,000 MAC addresses
• A malicious user can sniff traffic bound for
  legitimate destination MAC addresses that didnt
  fit in the CAM table and hence need to be flooded
• This issue is compounded by unauthorised hubs
  and, more recently wireless access points

4
Solution Port Security

• Limits MAC addresses allowed to connect on any
  single access port
• Introduced in IOS 11.2(8), re-released in IOS
  12.1(6) and is now platform-specific
• Verify port security status with show
  port-security

5
Youve been tagged!

• Lock down 802.1q on switches to avoid VLAN
  hopping
• Be specific with trunk ports
• Switch(config-if) switchport mode trunk
• Switch(config-if) switchport trunk allowed vlan
  vlan-list native vlan vlan-id
• Assign remaining ports to access VLANs
• Switch(config-if) switchport mode access
• Switch(config-if) switchport access vlan vlan-id
• Turn off Dynamic Trunking Protocol on all ports
• Switch(config-if) switchport nonegotiate

6
Private VLANs

• Restrict switch ports at Layer 2
• Ensures privacy for users on the same VLAN
• Assign switch ports to a defined primary VLAN
• Define a secondary VLAN, and assign switch ports
  roles
• Isolated
• Can communicate directly only with promiscuous
  ports on its VLAN
• Promiscuous
• Can communicate with any port assigned to its
  VLAN
• Community
• Can communicate with promiscuous and other
  community ports on its VLAN

7
Implementing PVLANs

• Private VLAN Catalyst 6500/4500/4900/3750/3560
• Set VTP mode to Transparent
• Switch(config) vtp mode transparent
• Define a primary VLAN
• Switch(config) vlan vlan-id
• Switch(config-vlan) private-vlan primary
• Define a secondary VLAN
• Switch(config) vlan vlan-id
• Switch(config-vlan) private-vlan isolated
  community
• Associate the secondary VLAN to the primary VLAN
• Switch(config) vlan primary-vlan-id
• Switch(config-vlan) private-vlan association
  add remove secondary_vlan_list
• Configure a promiscuous port
• Switch(config-if) switchport mode private-vlan
  promiscuous
• Switch(config-if) switchport private-vlan
  mapping primary-vlan-id add remove
  secondary_vlan_list
• Private VLAN Edge (per switch) Catalyst
  2960/2950/2940
• Switch(config-if) switchport protected

8
Switch ACLs

• Port ACLs
• Inbound-only IPv4 or MAC ACLs applied to physical
  switch ports
• Router ACLs (RACLs)
• Applied either inbound or outbound on Layer 3
  interfaces to filter routed IPv4 traffic between
  VLANs
• VLAN ACLs (VACLs)
• Used to filter traffic within the same VLAN
• VLAN maps are configured to provide access
  control based on Layer 3 addresses for IPv4
• After a VLAN map is applied to a VLAN, all
  packets (routed or bridged) entering the VLAN are
  checked against the VLAN map

9
Multilayer Switch VACLs

• Configure an IP or MAC ACL
• Switch(config) ip mac access-list standard
  extended access-list-name
• Switch(config-ext-nacl) permit deny ...
• Configure a VLAN map and assign the ACL
• Switch(config) vlan access-map name number
• Switch(config-access-map) action drop
  forward
• Switch(config-access-map) match ip mac
  address name number name number

10
Rogue DHCP? Snoop Away!

• DHCP snooping filters untrusted DHCP messages
• Maintains a DHCP snooping binding table
• Sets switch ports as trusted or untrusted
• To enable DHCP snooping

11
Dynamic ARP Inspection

• To defend against ARP poisoning by malicious
  users, DAI makes further use of information
  collected by DHCP snooping
• DAI determines the validity of an ARP packet
  based on valid IP-to-MAC address bindings stored
  in the DHCP snooping binding table

12
AAA Who? Where? Why?

• Authentication Who are you?
• Define lists of various methods to identify users
  e.g. local user database, or centralised RADIUS
  cluster?
• Authorisation Where do you think youre going?
• Uses information retrieved from the user's
  profile (from local user database or security
  server) to configure the user's session
• Accounting Where have you been, and why?
• Tracks the services that users are accessing and
  the amount of network resources that they are
  consuming

13
Configuring Authentication

• Must first define authentication method lists,
  else use default method.
• E.g. Users logging in on integrated wireless use
  a different group list
• Switch(config) aaa authentication login default
  group radius local
• Switch(config) aaa authentication login
  eap_methods group radius
• Switch(config) interface dot11Radio 0
• Switch(config-if) ssid Enigma
• Switch(config-if) vlan 10
• Switch(config-if) authentication network-eap
  eap_methods

14
Configuring Authorisation

• Like authentication, define method lists for
  authorisation
• E.g. use local database for users attempting to
  configure the switch, but refer to security
  server database for wireless users to access
  network
• Switch(config) aaa authorization exec default
  local
• Switch(config) aaa authorization network
  eap_methods group tacacs

15
Configuring Accounting
16
802.1x Tailored Access

• IEEE 802.1x allows for port-based access control
• Caters for dynamic access environment
• Supersedes port security, enhances AAA
• Simpler administration across infrastructure
• Three distinct components
• Client Must have 802.1x software support to
  participate in client requests and authentication
  replies
• Authentication server Performs authentication
  process in addition to storing user database,
  must be an EAP-enabled RADIUS server.
• Authenticator Layer 2 device closest to
  requesting client, proxies authentication
  requests and replies

17
oneNAC Beyond 802.1x
Enforcement
Hosts Attempting Network Access
Network Access Devices
Policy Server Decision Points and Remediation

• Network Admission Control (NAC) Cisco oneNAC
  uses the network infrastructure to enforce
  security policy compliance on all devices before
  granting access to network computing resources,
  thereby limiting damage from emerging security
  threats.

Vendor Servers
AAA Server (ACS)
Credentials
Credentials
Credentials
HTTPS
RADIUS
EAP/UDP, EAP/802.1x
Cisco Trust Agent
Access Rights
Comply?
Notification
18
... And lastly...

• Small steps to help further harden switches...
• Disable CDP globally or per interface
• Switch(config) no cdp run
• Switch(config-if) no cdp enable
• Encrypt usernames and passwords in the local user
  database
• Switch(config) service password-encryption
• Switch(config) username name secret password
• VTY ACLs
• Switch(config) access-list list-number permit
  deny remark source source-wildcard log
• Switch(config) line vty 0 4
• Switch(config-line) access-class list-number in
  out

19
... And lastly... again...

• Small steps to help further harden switches...
• Disable Telnet in favour of SSHv2
• Generating an RSA key-pair requires valid host
  and domain names
• Switch(config) hostname host-name
• Switch(config) ip domain-name domain_name
• Switch(config) crypto key generate rsa
• Configure SSHv2 server
• Switch(config) ip ssh version 2
• Require SSH for incoming virtual terminal
  connections
• Switch(config) line vty 0 4
• Switch(config-line) transport input ssh

20
Welcome to my world )

• Daniel Comarmond
• CCNP, CCDP, CCSP, CCAI
• Cisco Networking Academy Instructor
• Systems Engineer Cisco Systems
• E-Mail dcom_at_it.uts.edu.au
• MSN dcom82_at_dcom82.com
• Phone 61 2 8446-5037
• Website http//www-staff.it.uts.edu.au/dcom
• Take care, and SMILE!!! )