Module 11

Module Objective: Configure switch security to mitigate LAN attacks.

Implement Port Security

Objective: Implement port security to mitigate MAC address table attacks which are common vulnerabilities in network security.

Mitigate VLAN Attacks

Objective: Explain how to configure Dynamic Trunking Protocol (DTP) and native VLAN settings to mitigate VLAN attacks effectively, ensuring that only authorized traffic is passed through trunk links.

Mitigate DHCP Attacks

Objective: Explain how to configure DHCP snooping to mitigate DHCP attacks, specifically focusing on protecting the integrity of IP address assignments within a network.

Mitigate ARP Attacks

Objective: Explain how to configure Dynamic ARP Inspection (DAI) to prevent ARP attacks, which can allow malicious users to intercept traffic.

Mitigate STP Attacks

Objective: Explain how to configure PortFast and Bridge Protocol Data Unit (BPDU) Guard to mitigate Spanning Tree Protocol (STP) attacks, such as root bridge spoofing, which can disrupt network topology.

Implement Port Security

General Concept: Layer 2 attacks, such as MAC address table overflow, are prevalent in modern networks and can be effectively mitigated using robust security measures on switches that operate at this layer.

Best Practice: Secure all switch ports (interfaces) thoroughly before deployment to avoid unauthorized access.

Secure Unused Ports

Actions to take:

• Disable all unused ports using the command: shutdown

• Reactivate with: no shutdown

• For a range of ports, use: interface range type module/first-number – last-number to simplify the management of multiple interfaces.

Mitigate MAC Address Table Attacks

Port Security: The best method to prevent MAC address table overflow attacks is through implementing port security settings.

Function: Port security limits the number of valid MAC addresses that can be learned on a port, significantly reducing the risk of unauthorized access.

Modes:

• Static Configuration: Manually add MAC addresses using the command switchport port-security mac-address <mac-address>

• Dynamic Configuration: Allow the switch to learn a limited number of MAC addresses automatically, based on traffic.

• Sticky Learning: Store learned MAC addresses in Non-Volatile Random-Access Memory (NVRAM) using switchport port-security mac-address sticky, ensuring persistent configurations across reboots.

Maximum Count: Set the limit using the command switchport port-security maximum <value>, with a default of 1. The maximum can be increased up to 8192 based on the capabilities of the device.

Port Security Verification

Use the following commands to check port security settings and ensure configurations are effective:

• show port-security interface <interface>

• show port-security address to list the secure addresses learned on a port.

Port Security Aging

Types of Aging:

• Absolute: Deletes secure addresses after a specified time interval to prevent old mappings from persisting.

• Inactivity: Deletes secure addresses if inactive for a specified duration, thus freeing resources for new devices.

Commands: Configure aging with switchport port-security aging {static | time <time> | type {absolute | inactivity}}.

Security Violation Modes

Available Modes:

• Shutdown (default): The port goes into an error-disabled state and must be manually re-enabled by an administrator.

• Restrict: Drops packets with unknown source MAC addresses while incrementing violation count without disabling the port.

• Protect: Similar to restrict but does not log or increment the violation count, providing a less intrusive response.

Command: Use switchport port-security violation {shutdown | restrict | protect} to set the desired mode for handling violations.

Ports in Error-Disabled State

Actions: Before re-enabling a port, determine the cause of the violation using command:

• shutdown

• no shutdown to restore the functionality after remediation of the issue.

Mitigate VLAN Attacks

Types of VLAN Attacks Include:

• Spoofing DTP Messages: Attackers can force a trunk link by impersonating legitimate devices.

• Introducing Rogue Switches: An attacker can connect a switch with trunking enabled, exploiting the network.

• Double Tagging Attacks: Malicious packets can traverse the network by exploiting VLAN tagging mechanisms.

Steps to Mitigate VLAN Hopping Attacks:

1. Disable DTP on non-trunking ports: switchport mode access to prevent automatic negotiation.

2. Disable unused ports and assign them to a non-used VLAN to avoid listening for packet traffic.

3. Manually enable trunk links on approved ports using: switchport mode trunk.

4. Disable DTP on trunk ports to prevent unauthorized trunking: switchport nonegotiate.

5. Set native VLAN to a non-default value (not VLAN 1): switchport trunk native vlan <vlan_number> to reduce exposure to attacks.

Mitigate DHCP Attacks

Types of Attacks:

• DHCP Starvation: A client floods the DHCP server with requests to exhaust its capacity.

• DHCP Spoofing: An attacker sends malicious DHCP messages to provide false configuration data to clients.

DHCP Snooping

Function: Filters DHCP messages and rate-limits requests from untrusted ports to protect against rogue DHCP servers.

Configuration Steps:

1. Enable DHCP snooping globally using: ip dhcp snooping.

2. Mark trusted ports with: ip dhcp snooping trust to distinguish between legitimate and untrusted sources.

3. Limit DHCP messages with: ip dhcp snooping limit rate <packets-per-second> to prevent flooding on network.

4. Enable DHCP snooping for specific VLANs: ip dhcp snooping vlan <vlan_id> to allow snooping only on defined VLANs.

Verify DHCP Snooping

Check settings with command: show ip dhcp snooping to review operational status.
View the DHCP binding table using: show ip dhcp snooping binding to assess active leases and bindings.

Mitigate ARP Attacks

Dynamic ARP Inspection (DAI): A security feature that prevents ARP spoofing by inspecting and validating ARP requests and replies, thus ensuring that only valid IP-to-MAC bindings are recognized.

Requirements: DAI requires DHCP snooping to function effectively, as it utilizes the IP address to MAC address mapping it provides to verify requests.

DAI Configuration Guidelines:

1. Enable DHCP snooping both globally and specifically on selected VLANs to ensure consistent protection.

2. Set untrusted interfaces appropriately, typically marking them for access ports, where end devices connect.

Mitigate STP Attacks

STP Attacks involve network topology manipulation, often through techniques like root bridge spoofing and manipulation of STP messages.

Mitigations:

• PortFast: This feature speeds up the port initialization process, taking ports directly to the forwarding state, thereby reducing potential loop risks on access ports.

• BPDU Guard: This mechanism disables a port when a Bridge Protocol Data Unit (BPDU) is detected, preventing rogue switches from causing topology changes.

PortFast Configuration:

• Enable PortFast only on access ports to prevent loops from occurring during network topology changes.

• Verification of PortFast can be done with the command: show spanning-tree interface <type/number> detail.

BPDU Guard Configuration:

• Configure BPDU Guard on access ports with command settings that secure against rogue connections.

• Recovery command for err-disabled state includes errdisable recovery cause psecure_violation to automatically recover from violations if desired.

Summary of Key Concepts and Commands

It is crucial to maintain awareness of new terms and commands relevant to switch security measures including port security configurations, DTP settings, DHCP snooping, ARP inspection, and STP safeguarding techniques. Keeping up with best practices in these areas is essential for securing network infrastructure against prevalent attacks.