Chapter 5 Secure LAN Switching

1
Chapter 5 Secure LAN Switching

• Layer 2 security
• Port security
• IP permit lists
• Protocol filtering
• Controlling LAN floods (using port filtering,
  protocol filtering, etc.)
• Private VLANs
• Using IEEE 802.1x for port authentication and
  access control

2
Switch and Layer 2 security

• Security of lower layer devices is important,
  because some threats are initiated on Layer 2
  rather than Layer 3 and above.
• Example A firewall or a router cannot block a
  compromised server on a DMZ LAN from connecting
  to another server on the same segment. ? because
  the connection occurs at Layer 2
• More example attacks
• http//www.cisco.com/ca/events/pdfs/L2-security-Bo
  otcamp-final.pdf
• Focus of the chapter Cisco Catalyst 5000 series
  switches

3
Switch and Layer 2 security (cont.)

• Rules of thumb
• Use VLANs to create logical groupings of devices
  ? Each of the groups may have different security
  levels.
• Disable unused ports, and place them in a VLAN
  with no Layer 3 access.
• Besides VLANs, other mechanisms must be used.
• Separate devices should be used for zones at
  different security levels.
• Disable Layer 3 connection (e.g., Telnet, HTTP)
  to the switch.
• Disable trunking on ports that do not require it.
• A trunk is an interface on a switch that can
  carry packets for any VLAN. When packets get sent
  between switches, each packet gets tagged, based
  on the IEEE standard for passing VLAN packets
  between bridges, 802.1Q. The receiving switch
  removes the tag and forwards the packet to the
  correct port or VLAN in the case of a broadcast
  packet.
• ? VLAN Insecurity (http//www.spirit.com/Network
  /net0103.html)

4
Switch and Layer 2 security (cont.)

• How about attacks launched from hosts sitting on
  a LAN?
• In general, those hosts are considered as trusted
  entities.
• So it is difficult to stop a host when it becomes
  an attacker.
• Solution Make sure access to the LAN is secured.
  
• ? MAC address filtering (e.g., Ciscos port
  security, DHCP)

5
Port security

• A mechanism to restrict the MAC addresses that
  can connect via a particular port of the switch
• Allows a range of MAC addresses to be specified
  for a particular port
• Only frames with a right MAC address can go
  through the switch.
• Useful for preventing MAC address flooding
  attacks
• CAM overflow Content-Addressable Memory (aka.
  associated memory)
• CAM table stores information such as MAC
  addresses available on physical ports, with their
  associated VLAN params.
• CAM table has fixed size.
• When a CAM table is full, the switch is unable to
  create a new entry.
• ? It forwards a received frame to all ports,
  resulting in increased traffic and allowing the
  attacker to examine all frames.
• So, CAM overflow attacks may lead to subsequent
  DoS and traffic analysis attacks (next slide)

6
MAC Address Flooding
7
MAC Address Flooding (cont.)

• Counter-measures
• Hard-coding the MAC addresses that are allowed to
  connect on a port, or
• Limiting the number of hosts that are allowed to
  connect on a port
• Example 5-1 approach 1 timed suspension
• Example 5-2 approach 2

8
IP permit lists

• Purpose To restrict higher layer traffic, such
  asTelnet, SSH, HTTP, and SNMP, from entering a
  switch
• Allows IP addresses to be specified that are
  allowed to send these kinds of traffic through
  the switch
• Example 5-3

9
Protocol Filtering

• Purpose To limit broadcast/multicasts for
  certain protocols
• With Cisco Catalyst 5000 series of switches,
  packets are classified into protocol groups
• IP 2. IPX
• AppleTalk, DECnet, Banyan VINES 4. Other
  protocols
• A port is configured to belong to one or more of
  these groups.
• For each of the groups a port belong to, the port
  is in one of the following states (for that
  group)
• On ? Receive all broadcast/multicast traffic for
  that protocol
• Off ? no broadcast/multicast traffic for that
  protocol
• Auto ? auto-configured port
• The port becomes a member of the protocol group
  only after the device connected to the port
  transmits packets of that specific protocol
  group.
• Once the attached device stops transmitting
  packets for that protocol for 60 minutes, the
  port is removed form that protocol group.
• Example 5-4

10
Controlling LAN floods

• Attackers may cause frame flood (e.g., CAM
  flooding), or send broadcast/multicast messages
  to flood the LAN.
• Counter-measures
• Protocol filtering
• Setting up threshold limits for
  broadcast/multicast traffic on ports
• Catalyst switches allow thresholds for broadcast
  traffic to be set up on a per-port basis.
• The thresholds can depend on either the bandwidth
  consumed by broadcasts or the number of broadcast
  packets being sent across a port.
• Bandwidth consumed is a preferred measure.
  (Why?)
• Example Consolegt (enable) set port broadcast
  2/1-6 75
• Other broadcast/multicast traffic is dropped when
  the bandwidth consumed by broadcast/multicast
  traffic reaches 75.

11
Private VLANs

• An enhancement to Catalyst 6000 switches
• Traditional VLAN no layer 2 segregation of
  devices of the same VLAN ? So when one of the
  devices in a VLAN is compromised, other devices
  on the same VLAN may be compromised as well.
• Purpose of private VLANs To allow restrictions
  to be placed on the Layer 2 traffic of a VLAN.
• Three types of private VLAN ports
• Promiscuous ports communicate with all other
  private VLAN ports
• Isolated ports have complete Layer 2 isolation
  from other ports within the same private VLAN
• Community ports communicate among themselves and
  with their promiscuous ports

12
Using IEEE 802.1x

• Purpose (a) port authentication (b) access
  control
• Other usage used in 802.11i for WLAN security

13
Summary

• Next NAT and security