Sunday, April 25, 2010

CCNA Security 07

The best practices for security are:Physical Security - Lock servers, routers and switches up. No one should be able to plug or remove wires from your devices.

Passwords - Set passwords that are 8 characters and above and include upper- and lower-case alphabets, numbers and symbols.

Different Privilege Levels - The amount of access the user receives must be the lowest he can get to complete his job.

Remote Access - Grant access to only those who absolutely, positively need it.

A switch has more VTY lines than a router. Apart from the basic 0-4, a switch has 5-15. To set passwords on all lines, use:
line vty 0 15
password cisco

All passwords appear in clear-text except the enable secret. To encrypt those passwords using a weak algorithm, use:
service password-encryption

The "login" command is to REQUIRE login instead of allowing it. "no login" means DO NOT REQUIRE LOGIN instead of DISALLOW LOGIN. When you type "no login", you would have access to the prompt once the telnet session is up.

In a privilege 1 telnet session, the user would not be able to access exec mode if an enable secret or password is not set. To automatically move into exec mode, either set privilege level in the VTY, or on the local account.

In this article I'll be focusing on Layer 2 security. We'll start with the CAM table. CAM stands for Content Addressable Memory. It is also known as the MAC Address Table. The CAM table is a table with different source addresses associated to the ports. To view the CAM table, use:
show mac address-table
show mac-address-table

When the CAM table is full, the switch goes into Failover mode. In failover mode, the switch forwards every frame, whether unicast or broadcast, out of all ports. Essentially the switch turns into an expensive hub.

There are many ways we can protect switchports. All these are consolidated into a port-security suite. To enable port-security on a switchport, use:
switchport port-security

Port-security can only be enabled on an access port. Trunks are not eligible to be a secure port. There are four options in port-security:
Aging - Remove a MAC address after some time of inactivity
MAC-Address - Secure MAC addresses allowed, and sticky options
Maximum - Maximum number of MAC addresses allowed on a port (Maximum is 132 for low-end switches, and 1024 for high-end switches)
Violation - Action to take if a violation occurs

The sticky option allows learning of the currently plugged in devices as secure devices. The sticky command is to be entered when the device is in a stable state where there are no rogue devices. By default, maximum is set to 1. To enable sticky, use:
switchport port-security mac-address sticky

There are three types of violation. Protect would simply drop the offending frames. Restrict would drop the offending frames and increment the port's security violation counter. Shutdown would put the port into err-disable state and log an SNMP trap. The default is Shutdown.

To manually configure a MAC address, use:
in f0/0
switchport port-security
switchport port-security mac-address aaaa.bbbb.cccc

To see a port's port-security, use:
show port-security interface f0/1

Port status can be Secure-Up, Secure-Down, Secure-ShutDown or Err-Disabled. Secure-Up means that the port is up and running. Secure-Down means that either the port status or line protocol is down. Secure-ShutDown means that it is Administratively Shutdown. Err-Disabled means that a violation has occurred.

There are 2 kinds of aging. There are absolute and inactivity. Absolute starts counting once the MAC address is learned, while inactivity starts counting from the last time the MAC address was received. The default is absolute. To change the type, use:
switchport port-security aging type inactivity

To change the aging time, use:
switchport port-security aging time 5

The time is specified in minutes.

Port-security cannot be run on:
-Trunk ports
-Etherchannel ports
-Destination SPAN ports
-802.1x ports

You can use SNMP to notify of new or deleted MAC-addresses. To do this, go to global configuration and type:
mac address-table notification
snmp-server enable traps mac-notification

Next, go into the interface and type:
snmp trap mac-notification added
snmp trap mac-notification removed

Prior to 12.11, commands referring to the MAC address table uses "mac-address-table". After 12.11, the commands become "mac address-table" without the hyphen.

IEEE 802.1x can be configured on a switchport. Dot1x only supports RADIUS (TACACS or TACACS+ cannot work). The host and the switch must be configured for EAPOL (EAP over LAN, where EAP stands for Extensible Authentication Protocol).

In a Dot1x deployment, you'll encounter these terms:
Supplicant - Dot1x-PC
Authenticator - Dot1x-Switch
Authentication Server - RADIUS Server

The supplicant's ports are divided into two ports by dot1x. This is similar to sub-interfaces, but dot1x actually handles them for us. The controlled port is where the data is sent out. The only kind of data that can pass through the uncontrolled port is EAPOL, STP and CDP. Once authenticated, the controlled port can then send data.

To configure dot1x, AAA must be enabled and configured. A method list for dot1x must be configured:
aaa authentication dot1x default group radius local

To turn on Dot1x globally, use:
dot1x system-auth-control

The other commands are done in the interfaces. There are three modes for an interface to be in:
Force-Authorized - Always authenticated
Force-Unauthorized - Always unauthenticated
Auto - Only allows EAPOL frames, and can only transmit when authentication is complete

To change a port's mode, go under the interface and use:
dot1x port-control auto

EAP is a framework. There are over 40 methods of EAP. The EAP methods tested in the exam are:
-Cisco LEAP

Cisco LEAP stands for Lightweight Extensible Authentication Protocol. LEAP is Cisco-proprietary but third-party vendors can support it via Cisco Compatible Extension Program. In LEAP, the RADIUS server will authenticate the client. Once the client is authenticated, the client will authenticate the server. This is a strong 2-way authentication system.

EAP-FAST stands for Flexible Authentication via Secure Tunneling. FAST allows establishment of a secure tunnel to perform authentication. You cannot configure certificates with EAP-FAST though. FAST has three phrases:
Phase Zero - Get a PAC on the client (Optional, as it is dynamically created)
Phase One - Encryption tunnel is established
Phase Two - Credentials are exchanged and mutual authentication is performed.

For extra security, the PAC can be configured on both sides.

PEAP is a combination of Cisco and Microsoft technology. PEAP is a strong, open-standard security scheme. PEAP comes in two flavors:

A secure digital certificate is involved in both flavors. A certificate for the client is optional, but a certificate for the authentications server is mandatory.

EAP-TLS is an open-standard protocol, but you'll need to have a certificate on both your client and your server.

To attach a device such as an IDS or a packet analyzer, you'll need to mirror traffic to a port. SPAN is such a tool. There are very different types of SPAN. The most common one is the Local SPAN, in which the source port and the destination port is on the same switch.

Remote SPAN is when the source port and the destination port are on different switches. VLAN span is when all traffic from a specific VLAN is sent to a destination port.

To start a SPAN session, use the command:
monitor session

In Remote SPAN, both switches (and any switches between it) need to be configured. A separate VLAN would be created to carry the mirrored frames (they need to cross the trunk). VTP treats the remote SPAN VLAN as a normal VLAN. VTP Pruning also affects it. MAC address learning is disabled for the RSPAN VLAN.

We will now look at creating a local SPAN session. To do this, we'll need to type:
monitor session 1 source interface f0/1 - 3
monitor session 1 destination interface f0/4

You can have up to 2 sessions on a C2950, and the source and destination can be a range.

To see monitor session statistics, use:
show monitor

Suppose now that we have two switches, S1 and S2. S1 is the switch with the source ports, and S2 is the destination port. To configure remote SPAN on R1, type:
vlan 30
monitor session 1 source interface f0/1 - 3
monitor session 1 destination remote vlan 30 reflector-port f0/12

On R2, type:
monitor session 1 source remote vlan 30
monitor session 1 destination interface f0/4

R1 Ports F0/1 - 3 are the source ports, R1 and R2 Port F0/12 are trunked, and R2 Port F0/4 is the destination. A source port can belong to multiple SPAN sessions, but a source port cannot be a destination port. A destination port can participate in only one SPAN session, cannot be a source port, and cannot be part of an Etherchannel. A destination port also cannot participate in STP, CDP, VTP, PaGP, LAP, or DTP.

Trunk ports can be configured as the source/destination SPAN port. The default behavior will result in the monitoring of all active VLANs on the trunk.

Inter-VLAN traffic can be filtered by using an ACL at a router-on-a-stick or applying an ACL in a multilayer switch. However, it's difficult to manage traffic within the same VLAN. To do this, we'll need to make use of a VACL.

In a multilayer switch, the CAM holds the addresses learned, and the TCAM (Ternary CAM) stores the next action to take to reduce the number of times an address must be compared to an ACL. In a Layer 2 switch, something similar can happen using a VACL.

Even though a VACL is used in the actual filtering, an ACL is required to be applied in a VACL. Suppose that we want to restrict - 3 from communicating with other hosts and each other in the VLAN. To do this, we first create an extended ACL:
ip access-list ext ACL_DENY
permit ip

Next, we create a VLAN Access Map:
vlan access-map VACL_DENY 10
match ip address ACL_DENY
action drop
vlan access-map VACL_DENY 20
action forward

The first thing traffic in the VLAN will encounter is sequence 10. In 10, the IP is matched against the access-list. If it's matched, it is dropped. If there is no match, sequence 20 is matched. Sequence 20 is similar to a "permit any" because there is an implicit deny at the bottom of the VACL.

To apply the VACL, go into global configuration and type:
vlan filter VACL_DENY vlan-list 100

VACLs can also be used to filter bridged traffic as well as non-IP and non-IPX traffic. VACLs run from top to bottom until a match occurs. There is an implicit deny at the end. If traffic is not expressly forwarded, it is implicitly denied. Only one VACL can be applied to a VLAN, and the sequence numbers allow you to go back to add lines. A routing ACL can be applied to an SVI to filter in/outbound traffic.

If a VACL and ACL is both applied (one to the VLAN, and one to the SVI), then the VACL is matched first before the ACL.

An alternative to VACLs is the Private VLAN. Hosts can be placed into a secondary VLAN which can result in three effects:
-Community Private VLAN - hosts will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN but not with other secondary VLANs.
-Isolated Private VLAN - hosts will be able to communicate with the primary VLAN but not other hosts.

You can also configure a Promiscuous port which can communicate with all hosts in the primary and secondary VLAN.

To configure VLAN 45 as a community-PVLAN, use:
vlan 45
private-vlan community

To configure VLAN 50 as an isolated-PVLAN, use:
vlan 50
private-vlan isolated

To associate a private VLAN with a primary VLAN 10, use:
vlan 10
private-vlan association 45,50

To associate ports to PVLANs, use:
in ran f0/1 - 6
switchport mode private-vlan host
switchport private-vlan host-association 10 45
in ran f0/7 - 11
switchport mode private-vlan host
switchport private-vlan host-association 10 50

To configure a port as promiscuous, use:
in f0/12
switchport mode private-vlan promiscuous
switchport private-vlan mapping 10 45,50

Traffic crossing the trunk from all VLANs would appear as VLAN 10.

PVLAN can only be configured when VTP is in transparent mode. To do this, type:
vtp mode transparent

DHCP can be used for network attacks. If a rogue DHCP server is put on the subnet, he can offer a legitimate IP address but send out a fake default gateway option. DHCP snooping classifies ports into trusted and untrusted. Trusted ports allow DHCP offers to go through, while untrusted ports are put in err-disable when an offer is received from it (indicating that there's a rogue DHCP server).

To turn on DHCP snooping, use:
ip dhcp snooping
ip dhcp snooping vlan 10

All ports in VLAN 1 (default) and 10 are now considered untrusted. To trust the port with your DHCP server, use:
in f0/1
ip dhcp snooping trust

To enable DHCP option 82 (DHCP Relay Agent), use:
ip dhcp snooping information option

ARP Poisoning is a very powerful way to perform a MITM attack. ARP Poisoning is also known as ARP Spoofing. ARP is the mechanism used to resolve IP addresses to MAC addresses. An intruder makes use of Gratuitous ARP to tell hosts that they are another host. They can effectively trick the host and the default gateway to send data through the intruder.

In Dynamic ARP Inspection, packets are checked for IP-MAC mappings. If the IP-MAC mapping is wrong on an untrusted interface, the frame is dropped. DHCP snooping has to be enabled to use DAI. To configure DAI, use:
ip dhcp snooping
ip arp inspection vlan 10

Now that all ports are enabled for ARP inspection, it's time to make ports trusted:
in f0/1
ip arp inspection trust

In DAI, you can specify the validation of more fields:
ip arp inspection dst-mac
ip arp inspection src-mac
ip arp inspection ip

You can show DAI status through:
show ip arp inspection

Cisco's recommended configuration is to have all host ports untrusted and all ports connecting to switches/routers trusted.

IP Source Guard prevents a host from using a statically assigned address or another host's address. It makes use of DHCP snooping so it must be turned on beforehand. Only addresses assigned by DHCP servers can be used. To enable IP Source Guard, use:
ip dhcp snooping
in ran f0/1 - 12
ip verify source port-security

VLAN Hopping is when a frame is double-tagged with Dot1q. For VLAN hopping to work, the intruder's host device must be attached to an access port. The VLAN used by the access port must also be the native VLAN.

The rogue transmit the frame that is double-tagged with VLAN 10 and VLAN 20. VLAN 10 is the native-VLAN. The first tag seen by the switch is VLAN 10 and it is removed because it is the native VLAN. Now the VLAN 20 tag is left and when the packet leaves a trunk, the other switches see the frame as coming from VLAN 20.

Switch spoofing allows the host to be a member of all VLANs. By default, Cisco switches are running in Dynamic Desirable mode. Dynamic Desirable mode has DTP running in an aggressive mode to actively form a trunk. Rogues connecting to a dynamic desirable port can negotiate the link into a trunk, and in turn allowing the rogue to connect to all VLANs.

There are two defenses for VLAN hopping attacks. Firstly, all host ports should be hardcoded into access ports. DTP should also be disabled. To see all switchport modes, use:
show int trunk

These are the two commands to prevent switch spoofing attacks:
switchport mode access
switchport nonegotiate

Intruders can attach a switch into a switched network with a very low priority to make themselves the root bridge. They then enable SPAN to sniff information. To prevent this, we'll have to use BPDU Guard and Root Guard.

Root Guard prevents a superior BPDU from coming in from a port (it is enabled on a per-port basis). Root Guard will block the BPDU and temporarily disables the port (goes into Root Inconsistent state). To configure Root Guard, use:
in f0/1
spanning guard root

BPDU guard is to prevent BPDUs from ever being received from a portfast port. When a BPDU is received from a BPDU guard interface, it is put into err-disable state. To enable BPDU guard on a port, use:
spanning-tree bpduguard enable

There is a command to enable all interfaces running on portfast to have BPDU guard. To do this, go to global configuration and type:
spanning-tree portfast bpduguard default

No comments :

Post a Comment