Unformatted text preview:

– Chapter 5 – Secure LAN SwitchingSwitch and Layer 2 securitySlide 3Switch and Layer 2 security (cont.)Setting up a secure Layer 2 switching environmentNeed for other counter-measuresPort securityMAC Address FloodingMAC Address Flooding (cont.)IP permit listsProtocol FilteringControlling LAN floodsPrivate VLANsUsing IEEE 802.1xNetwork Security 1– Chapter 5 – Secure LAN Switching•Layer 2 security–Port security–IP permit lists–Protocol filtering–Controlling LAN floods (using port filtering, protocol filtering, etc.)–Private VLANs–Using IEEE 802.1x for port authentication and access controlNetwork Security 2Switch and Layer 2 security•Security of lower layer devices is important, because some threats are initiated on Layer 2 rather than Layer 3 and above.•Example: A firewall or a router cannot block a compromised server on a DMZ LAN from connecting to another server on the same segment.  because the connection occurs at Layer 2•Focus of the chapter: Cisco Catalyst 5000 series switches (principles applicable to other types of switches)Network Security 3•Source: http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdfNetwork Security 4Switch and Layer 2 security (cont.)•More example attacks: http://www.cisco.com/ca/events/pdfs/L2-security-Bootcamp-final.pdf (local copy)Network Security 5Setting up a secure Layer 2 switching environment•Overview of Counter-measures:Use VLANs to create logical groupings of devices  Each of the groups may have different security levels.Disable unused ports, and place them in a VLAN with no Layer 3 access.Besides VLANs, other mechanisms must be used (e.g., port security)Separate devices should be used for zones at different security levels.Disable Layer 3 connection (e.g., Telnet, HTTP) to the switch.Disable trunking on ports that do not require it (and place the trunk port in its own VLAN).-A trunk is an interface on a switch that can carry packets for any VLAN. When packets get sent between switches, each packet gets tagged, based on the IEEE standard for passing VLAN packets between bridges, 802.1Q. The receiving switch removes the tag and forwards the packet to the correct port or VLAN in the case of a broadcast packet.  “VLAN Insecurity” (http://www.spirit.com/Network/net0103.html)Network Security 6Need for other counter-measures•How about attacks launched from hosts sitting on a LAN?-In general, those hosts are considered as trusted entities.-So it is difficult to stop a host when it becomes an attacker.-Solution: Make sure access to the LAN is secured.  MAC address filtering (e.g., Cisco’s port security, DHCP)Network Security 7Port security•A mechanism to restrict the MAC addresses that can connect via a particular port of the switchAllows a range of MAC addresses to be specified for a particular portOnly frames with a right MAC address can go through the switch.•Useful for preventing MAC address flooding attacksCAM overflow: Content-Addressable Memory (aka. associated memory)CAM table stores information such as MAC addresses available on physical ports, with their associated VLAN params.CAM table has fixed size.When a CAM table is full, the switch is unable to create a new entry.  It forwards a received frame to all ports, resulting in increased traffic and allowing the attacker to examine all frames.So, CAM overflow attacks may lead to subsequent DoS and traffic analysis attacks (next slide)Network Security 8MAC Address FloodingNetwork Security 9MAC Address Flooding (cont.)•Counter-measures:1. Hard-coding the MAC addresses that are allowed to connect on a port, or2. Limiting the number of hosts that are allowed to connect on a portExample 5-1: approach 1 + timed suspensionConsole> (enable) set port security 2/1 enableConsole> (enable) set port security 2/1 enable 00-90-2b-03-34-08Console> (enable) set port security 2/1 shutdown 600Example 5-2: approach 2Console> (enable) set port security 3/2 maximum 20Network Security 10IP permit lists•Purpose: To restrict higher layer traffic, such asTelnet, SSH, HTTP, and SNMP, from entering a switch•Allows IP addresses to be specified that are allowed to send these kinds of traffic through the switch•Command: set ip permit enable•Example 5-3Network Security 11Protocol Filtering•Purpose: To limit broadcast/multicasts for certain protocols•With Cisco Catalyst 5000 series of switches, packets are classified into protocol groups: 1. IP 2. IPX2. AppleTalk, DECnet, Banyan VINES 4. Other protocols•A port is configured to belong to one or more of these groups.For each of the groups a port belong to, the port is in one of the following states (for that group): On  Receive all broadcast/multicast traffic for that protocolOff  no broadcast/multicast traffic for that protocolAuto  auto-configured port-The port becomes a member of the protocol group only after the device connected to the port transmits packets of that specific protocol group.-Once the attached device stops transmitting packets for that protocol for 60 minutes, the port is removed form that protocol group.•Example 5-4Network Security 12Controlling LAN floods•Attackers may cause frame flood (e.g., CAM flooding), or send broadcast/multicast messages to flood the LAN.•Counter-measures:1. Protocol filtering2. Setting up threshold limits for broadcast/multicast traffic on ports–Catalyst switches allow thresholds for broadcast traffic to be set up on a per-port basis.–The thresholds can depend on either the bandwidth consumed by broadcasts or the number of broadcast packets being sent across a port.–‘Bandwidth consumed’ is a preferred measure. (Why?)–Example: Console> (enable) set port broadcast 2/1-6 75%Other broadcast/multicast traffic is dropped when the bandwidth consumed by broadcast/multicast traffic reaches 75%.Network Security 13Private VLANs•An enhancement to Catalyst 6000 switches•Traditional VLAN: no layer 2 segregation of devices of the same VLAN  So when one of the devices in a VLAN is compromised, other devices on the same VLAN may be compromised as well.•Purpose of private VLANs: To allow restrictions to be placed on the Layer 2 traffic of a VLAN.•Three types of private VLAN ports:1. Promiscuous ports: communicate with all other private VLAN ports2. Isolated ports: have complete Layer 2 isolation from other ports within the same private VLAN (e.g., Ethernet ports


View Full Document

UHCL CSCI 5235 - Secure LAN Switching

Download Secure LAN Switching
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Secure LAN Switching and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Secure LAN Switching 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?