Module 11_Switch Security Configuration

Layer 2 attacks

_____ are some of the easiest for hackers to deploy but these threats can also be mitigated with some common Layer 2 solutions.

switch ports (interfaces)

• All _____ should be secured before the switch is deployed for production use.

  • How a port is secured depends on its function.

disable

A simple method that many administrators use to help secure the network from unauthorized access is to _____ all unused ports on a switch.

port security

• The simplest and most effective method to prevent MAC address table overflow attacks is to enable _____.

• limits the number of valid MAC addresses allowed on a port.

  • It allows an administrator to manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses.

  • When a port configured with port security receives a frame, the source MAC address of the frame is compared to the list of secure source MAC addresses that were manually configured or dynamically learned on the port.

  • By limiting the number of permitted MAC addresses on a port to one, _____ can be used to control unauthorized access to the network.

access ports,

trunk ports

• Port security can only be configured on manually configured _____ or manually configured ____.

  • By default, Layer 2 switch ports are set to dynamic auto (trunking on).

1

The default port security value is _____.

secure MAC addresses

The maximum number of _____ that can be configured depends the switch and the IOS.

Manually Configured,

Dynamically Learned,

Dynamically Learned – Sticky

The switch can be configured to learn about MAC addresses on a secure port in one of three ways

Manually Configured

The administrator _____ a static MAC address(es) by using the following command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

Dynamically Learned

• When the switchport port-security command is entered, the current source MAC for the device connected to the port is automatically secured but is not added to the running configuration.

• If the switch is rebooted, the port will have to re-learn the device’s MAC address.

Dynamically Learned – Sticky

The administrator can enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

Switch(config-if)# switchport port-security mac-address sticky

NVRAM

Saving the running configuration will commit the dynamically learned MAC address to _____.

Port security aging

can be used to set the aging time for static and dynamic secure addresses on a port and two types of aging are supported per port:

Absolute,

Inactivity

two types of aging

Absolute

The secure addresses on the port are deleted after the specified aging time.

Inactivity

The secure addresses on the port are deleted if they are inactive for a specified time.

aging

• Use _____ to remove secure MAC addresses on a secure port without manually deleting the existing secure MAC addresses.

  • _____ of statically configured secure addresses can be enabled or disabled on a per-port basis.

port violation, error-disabled state

If the MAC address of a device attached to a port differs from the list of secure addresses, then a ____ occurs and the port enters the _____.

shutdown (default),

restrict,

protect

3 security violation mode

shutdown (default)

• The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message.

• It increments the violation counter.

• When a secure port is in the error-disabled state, an administrator must re-enable it by entering the shutdown and no shutdown commands.

restrict

• The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value.

• This mode causes the Security Violation counter to increment and generates a syslog message.

protect

• This is the least secure of the security violation modes.

• The port drops packets with unknown MAC source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the maximum value.

• No syslog message is sent.

shutdown (default)

Security Violation Mode

Discards Offending Traffic? Yes

Sends Syslog Message? Yes

Increase Violation Counter? Yes

Shuts Down Port? Yes

restrict

Security Violation Mode

Discards Offending Traffic? Yes

Sends Syslog Message? Yes

Increase Violation Counter? Yes

Shuts Down Port? No

protect

Security Violation Mode

Discards Offending Traffic? Yes

Sends Syslog Message? No

Increase Violation Counter? No

Shuts Down Port? No

no traffic is sent or received

When a port is shutdown and placed in the error-disabled state, _____ on that port.

Spoofing DTP messages

Introducing a rogue switch and enabling trunking.

double-tagging (or double-encapsulated) attack.

A VLAN hopping attack can be launched in one of three ways:

Spoofing DTP messages

_____ from the attacking host to cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.

Introducing a rogue switch and enabling trunking

The attacker can then access all the VLANs on the victim switch from the rogue switch.

double-tagging (or double-encapsulated) attack

This attack takes advantage of the way hardware on most switches operate.

DHCP starvation attack,

Gobbler,

Denial of Service (DoS)

The goal of a _____ is to an attack tool such as _____ to create a _____ for connecting clients.

port security

• DHCP starvation attacks can be effectively mitigated by using _____ because Gobbler uses a unique source MAC address for each DHCP request sent.

  • However, mitigating DHCP spoofing attacks requires more protection

Gobbler

• ____ could be configured to use the actual interface MAC address as the source Ethernet address, but specify a different Ethernet address in the DHCP payload.

  • This would render port security ineffective because the source MAC address would be legitimate.

DHCP snooping

DHCP spoofing attacks can be mitigated by using _____ on trusted ports.

DHCP snooping

filters DHCP messages and rate-limits DHCP traffic on untrusted ports.

Devices under administrative control

• (e.g., switches, routers, and servers)

• are trusted sources.

Trusted interfaces

• (e.g., trunk links, server ports)

• must be explicitly configured as trusted.

Devices outside the network and all access ports

____ are generally treated as untrusted sources.

DHCP table,

DHCP snooping binding table

• is built that includes the source MAC address of a device on an untrusted port and the IP address assigned by the DHCP server to that device.

  • The MAC address and IP address are bound together.

  • Therefore, this table is called the _____.

ARP attack

a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway.

ARP Requests and Replies

To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid _____ are relayed.

Dynamic ARP inspection (DAI)

requires DHCP snooping and helps prevent ARP attacks

invalid or gratuitous ARP Replies

DAI requires DHCP snooping and helps prevent ARP attacks by:

Not relaying _____ out to other ports in the same VLAN. (1)

Intercepting all ARP Requests and Replies

DAI requires DHCP snooping and helps prevent ARP attacks by:

_____ on untrusted ports. (2)

IP-to-MAC binding

DAI requires DHCP snooping and helps prevent ARP attacks by:

Verifying each intercepted packet for a valid _____. (3)

Dropping and logging ARP Replies

DAI requires DHCP snooping and helps prevent ARP attacks by:

_____ coming from invalid to prevent ARP poisoning. (4)

Error-disabling the interface

DAI requires DHCP snooping and helps prevent ARP attacks by:

_____ if the configured DAI number of ARP packets is exceeded. (5)

Enable DHCP snooping globally.

Enable DHCP snooping on selected VLANs.

Enable DAI on selected VLANs.

Configure trusted interfaces for DHCP snooping and ARP inspection.

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines (4)

access switch ports - untrusted,

uplink ports - trusted

It is generally advisable to configure all ____ as ____ and to configure all _____ that are connected to other switches as _____.

Destination MAC,

Source MAC,

IP address

DAI can also be configured to check for (3)

Destination MAC

Checks the____ address in the Ethernet header against the target MAC address in ARP body.

Source MAC

Checks the _____ address in the Ethernet header against the sender MAC address in the ARP body.

IP address

Checks the ARP body for invalid and unexpected _____ including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

Spanning Tree Protocol (STP)

network attackers can manipulate the _____ to conduct an attack by spoofing the root bridge and changing the topology of a network.

PortFast,

Bridge Protocol Data Unit (BPDU) Guard

To mitigate STP attacks, use ____ and ____

PortFast

immediately brings a port to the forwarding state from a blocking state, bypassing the listening and learning states.

end-user access ports

PortFast apply to all _____.

BPDU Guard

immediately error disables a port that receives a BPDU.

end devices

BPDU guard should only be configured on interfaces attached to _____.

STP listening, learning

PortFast bypasses the ____ and _____ states to minimize the time that access ports must wait for STP to converge.

inter switch links

PortFast on ____ can create a spanning-tree loop.

Cisco IOS shutdown

Navigate to each unused port and issue the _____ command.

no shutdown

If a port must be reactivated at a later time, it can be enabled with the ____ command

interface range

To configure a range of ports, use the _____ command.

switchport port-security

Port security is enabled with the _____ interface configuration command.

show port-security

command to display port security settings for the switch

show port-security interface

• display the current port security settings

• view details for a specific interface

show port-security address

display all secure MAC addresses that are manually configured or dynamically learned on all switch interfaces

Switch(config-if)# switchport port-security maximum value

command to set the maximum number of MAC addresses allowed on a port

Switch(config-if)# switchport port-security mac-address mac-address

manually configures a static MAC address(es) by using the following command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address sticky

enable the switch to dynamically learn the MAC address and “stick” them to the running configuration by using the following command:

Switch(config-if)# switchport port-security aging {static | time time | type {absolute | inactivity}}

command to enable or disable static aging for the secure port, or to set the aging time or type.

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

To set the port security violation mode, use the following command

switchport mode access

Disable DTP (auto trunking) negotiations on non-trunking ports by using the _____ interface configuration command.

switchport mode trunk

Manually enable the trunk link on a trunking port by using the _____ command.

switchport nonegotiate

Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.

ip dhcp snooping

Enable DHCP snooping by using the ____ global configuration command.

ip dhcp snooping trust

On trusted ports, use the _____ interface configuration command.

ip dhcp snooping limit rate packets-per-second

On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the _____ interface configuration command.

ip dhcp snooping vlan

Enable DHCP snooping by VLAN, or by a range of VLANs, by using the _____ global configuration command.

show ip dhcp snooping

Use the ______ privileged EXEC command to verify DHCP snooping settings.

show ip dhcp snooping binding

Use the ____ command to view the clients that have received DHCP information

ip arp inspection validate {[src-mac] [dst-mac] [ip]}

_____ global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid.

ip arp inspection validate

entering multiple _____ commands overwrites the previous command.

spanning-tree portfast,

spanning-tree portfast default

PortFast can be enabled:

On an interface - _____ interface configuration command

Globally - _____ global configuration command to enable PortFast on all access ports.

show running-config | begin span,

show spanning-tree summary

To verify whether PortFast is enabled globally you can use either the:

show running-config interface type/number

To verify if PortFast is enabled an interface

show spanning-tree interface type/number detail

command can also be used for verification

spanning-tree bpduguard enable,

spanning-tree portfast bpduguard default

BPDU Guard can be enabled:

On an interface – Use the _____ interface configuration command.

Globally – Use the _____ global configuration command to enable BPDU Guard on all access ports.