© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Understanding Switch Security Issues

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Overview of Switch Security

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Rogue Access Points Rogue network devices can be: –Wireless hubs –Wireless routers –Access switches –Hubs These devices are typically connected at access level switches.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Switch Attack Categories MAC layer attacks VLAN attacks Spoofing attacks Attacks on switch devices

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v MAC Flooding Attack

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Port Security Port security restricts port access by MAC address.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring Port Security on a Switch Enable port security Set MAC address limit Specify allowable MAC addresses Define violation actions Switch(config-if)#switchport port-security [maximum value] violation {protect | restrict | shutdown} Enables port security and specifies the maximum number of MAC addresses that can be supported by this port.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Verifying Port Security Switch#show port-security Displays security information for all interfaces Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa5/ Shutdown Fa5/ Restrict Fa5/ Protect Total Addresses in System: 21 Max Addresses limit in System: 128

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Verifying Port Security (Cont.) Switch#show port-security interface type mod/port Displays security information for a specific interface Switch#show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Verifying Port Security (Cont.) Switch#show port-security address Displays MAC address table security information Switch#show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) SecureDynamic Fa5/1 15 (I) SecureDynamic Fa5/1 15 (I) SecureConfigured Fa5/1 16 (I) SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/ SecureConfigured Fa5/11 25 (I) SecureConfigured Fa5/11 25 (I) Total Addresses in System: 10 Max Addresses limit in System: 128

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Port Security with Sticky MAC Addresses Sticky MAC stores dynamically learned MAC addresses.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v AAA Network Configuration Authentication –Verifies a user identify Authorization –Specifies the permitted tasks for the user Accounting –Provides billing, auditing, and monitoring

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Authentication Methods Enable password Kerberos 5 Kerberos 5-Telnet authentication Line password Local database Local database with case sensitivity No authentication RADIUS TACACS+ Switch(config)#aaa authentication login {default | list-name} method1 [method2...] Creates a local authentication list Cisco IOS AAA supports these authentication methods:

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v x Port-Based Authentication Network access through switch requires authentication.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Configuring 802.1x Switch(config)#aaa authentication dot1x {default} method1 [method2…] Creates an 802.1x port-based authentication method list Switch(config)#dot1x system-auth-control Globally enables 802.1x port-based authentication Switch(config)#interface type slot/port Enters interface configuration mode Switch(config-if)#dot1x port-control auto Enables 802.1x port-based authentication on the interface Switch(config)#aaa new-model Enables AAA

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Summary Layer 2 security measures must be taken as a subset of the overall network security plan. Rogue access to the network can undermine the security. Switch attacks fall into four main categories. MAC flooding attacks are launched against Layer 2 access switches and can overflow the CAM table. Port security can be configured at Layer 2 to block input from devices. Configuring port security on a switch is easy and recommended. Sticky MAC addresses allow port security to limit access to a specific, dynamically learned MAC address. Multilayer switches should be configured to support security. AAA can be used for authentication on a multilayer switch x port-based authentication can mitigate risk of rogue devices gaining unauthorized access.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v