5.11 Switch Security and Attacks
Content-addressablememory (CAM) table
A table maintained by a switch that contains MAC addresses and their corresponding port locations.
Dynamic TrunkingProtocol (DTP)
An unsecure protocol that could allow unauthorized devices to modify a switch's configuration.
Virtual LAN (VLAN)
A logical grouping of computers based on switch port.
MAC flooding
MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. MAC flooding is performed using the following method: 1. The attacker floods the switch with packets, each containing a different source MAC address. 2. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called fail open mode. In fail open mode, all incoming packets are broadcast out to all ports (as with a hub), instead of to the designated port (as a switch normally does). 3. The attacker then captures all the traffic with a protocol analyzer/sniffer.
MAC spoofing
MAC spoofing is changing the source MAC address on frames. The attacker's system sends frames with the spoofed MAC address. The switch reads the source address contained in the frames and associates the MAC address with the port where the attacker is connected. MAC spoofing can be used to: > Bypass 802.1x port-based security. > Bypass wireless MAC filtering. > Hide the identity of the attacker's computer or to impersonate another device on the network. > Impersonate a device on the network to capture frames addressed to that device. > Impersonate a valid device on the network to gain network access. For example, to gain access when the switch is using the MAC address to allow or deny a network connection.
Port authentication (802.1x)
Port authentication is provided by the 802.1x protocol and allows only authenticated devices to connect to the LAN through the switch. Authentication uses user names and passwords, smart cards, or other authentication methods. > When a device first connects, the port is set to an unauthorized state. Ports in unauthorized states can be used only for 802.1x authentication traffic. > The process begins by the switch sending an authentication request to the device. > The device responds with authentication credentials, which are forwarded by the switch to the authentication device (such as a RADIUS server). > After the server authenticates the device or the user, the switch port is placed in an authorized state, and access to other LAN devices is allowed. When a device disconnects, the switch places the port in the unauthorized state.
Dynamic Trunking Protocol(DTP)
Switches have the ability to automatically detect trunk ports and negotiate the trunking protocol used between devices. The Dynamic Trunking Protocol is not secure and allows unauthorized devices to possibly modify configuration information. You should disable the DTP services on the switch's end user (access) ports before implementing the switch configuration into the network.
Common Switch Attacks
The following table describes common attacks that are perpetrated against switches.
Security Switch Features
The following table lists switch features that can be implemented to increase network security:
5.11.7 Switch Attack Facts
This lesson covers common switch attacks.
5.11.3 Switch Security Facts
This lesson covers the following topics: > Security switch features > Implement switch security > Spanning Tree Protocol
Spanning Tree Protocol
To provide fault tolerance, many networks implement redundant paths between devices using multiple switches. However, providing redundant paths between segments causes packets to be passed between the redundant paths endlessly. This condition is known as a switching loop. Switching loops lead to incorrect entries in a MAC address table, making a device appear to be connected to the wrong port and causing unicast traffic to be circulated in a loop between switches. The Spanning Tree Protocol runs on switches to prevent switching loops by making only a single path between switches active at a single time. The Spanning Tree Protocol also: > Provides redundant paths between devices > Recovers automatically from a topology change or device failure by unblocking redundant paths > Identifies the optimal path between any two network devices > Calculates the best loop-free path through a network by assigning a role to each bridge or switch and by assigning roles to the ports of each bridge or switch The type of ports used by the Spanning Tree Protocol are: 1. Root ports, which are configured to communicate directly to the root switch. 2. Designated ports, which forward frames to and from attached hosts. 3. Blocked ports, which form a loop and are used for redundancy.
MAC filtering/port security
With switch port security, the devices that can connect to a switch through the port are restricted. > Port security uses the MAC address to identify allowed and denied devices. > On the switch, MAC addresses are stored in RAM in a table and are associated with the port. The table can be manually configured, or learning devices can automatically build the table. > You can specify that only a single MAC address is allowed per port, or you can configure the each port to allow multiple addresses. > With automatic configuration, the next device or specified number of devices can connect to the port and additional devices are denied. > A port violation occurs when an unauthorized device tries to connect. The switch configuration determines how the switch handles frames from an unauthorized device. The switch can either drop all frames from the unauthorized device or shut down the port, disabling all communications through that port.
5.11.11 Secure Access to a Switch 2 Lab
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by creating an access control list. You have been asked to prevent video game consoles from connecting to the switch. In this lab, your task is to: > Create a MAC-based ACL named GameConsoles. > Configure the GameConsoles MAC-based access control entry (ACE) settings as follows: --- > Bind the GameConsoles ACL to all of the GE1-GE30 interfaces. *Use Copy Settings to apply the binding to multiple interfaces > Save the changes to the switch's startup configuration file. Use the default settings. Complete this lab as follows: 1. Create the GameConsoles ACL. a. From the Getting Started page, under Quick Access, select Create MAC-Based ACL. b. Select Add. c. In the ACL Name field, enter GameConsoles d. Click Apply and then click Close. 2. Create MAC-based access control. a. Select MAC-Based ACE Table. b. Select Add. c. Enter the priority. d. Select the action. e. For Destination MAC Address, make sure Any is selected. f. For Source MAC Address, select User Defined. g. Enter the source MAC address value. h. Enter the source MAC address mask. i. Click Apply. j. Repeat steps 2c-2i for additional ACE entries. k. Click Close. 3. Bind the GameConsoles ACL to all of the interfaces. a. From the left pane, under Access Control, select ACL Binding (Port). b. Select GE1. c. At the bottom of the window, select Edit. d. Click Select MAC-Based ACL. e. Select Apply and then select Close. f. Select Copy Settings. g. In the Copy configuration's to field, enter 2-30. h. Click Apply. 4. Save the Configuration. a. From the top of the window, select Save. b. Under Source File Name, make sure Running configuration is selected. c. Under Destination File Name, make sure Startup configuration is selected. d. Click Apply. e. Click OK.
5.11.10 Secure Access to a Switch Lab
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the Networking Closet by restricting access management and by updating the switch's firmware. In this lab, your task is to: Create an access profile named MgtAccess and configure it with the following settings: > Access Profile Name - MgtAccess > Rule Priority - 1 > Management Method - All > Action - Deny > Applies to Interface - All > Applies to Source IP Address - All Add a profile rule to the MgtAccess profile with the following settings: > Rule Priority - 2 > Management Method - HTTP > Action - Permit > Applies to Interface - All >Applies to Source IP address - User define IP version - 4 IP Address - 192.168.0.10 Network Mask - 255.255.255.0 > Set the MgtAccess profile as the active access profile. > Save the changes to the switch's startup configuration file using the default settings. > Update the firmware image to the latest version by downloading the firmware files found in C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. *If you need to log back into the switch, the username is ITSwitchAdmin and the password is Admin$only. Complete this lab as follows: 1. Create and configure an Access Profile named MgtAccess. a. From the left pane, expand and select Security > Mgmt Access Method > Access Profiles. b. Select Add. c. Enter the Access Profile Name of MgtAccess. d. Enter the Rule Priority of 1. e. For Action, select Deny. f. Select Apply and then select Close. 2. Add a profile rule to the MgtAccess profile. a. From the left pane, under Security > Mgmt Access Method, select Profile Rules. b. Select the MgtAccess profile and then select Add. c. Enter a Rule Priority of 2. d. For Management Method, select HTTP. e. For Applies to Source IP Address, select User Defined. f. For IP Address, enter 192.168.0.10. g. Enter the 255.255.255.0. h. Select Apply and then select Close. 3. Set the MgtAccess profile as the active access profile. a. From the left pane, under Security > Mgmt Access Method, select Access Profiles. b. Use the Active Access Profile drop-down list to select MgtAccess. c. Select Apply. d. Select OK. 4. Save the changes to the switch's startup configuration file. a. At the top, select Save. b. For Source File Name, make sure Running configuration is selected. c. For Destination File Name, make sure Startup configuration is selected. d. Select Apply. e. Select OK. 5. Upgrade the firmware image to the latest version. a. From the left pane, select Getting Started. b. Under Quick Access, select Upgrade Device Software. c. For File Name, select Choose File. d. Browse to and select C:\Sx300_Firmware\Sx300_FW-1.2.7.76.ros. e. Select Open. f. Select Apply. g. Select OK. h. From the left pane, under File Management, select Active Image. i. For Active Image After Reboot, use the drop-down menu to select Image 2. j. Select Apply. k. From the left pane under Administration, select Reboot. l. From the right pane, select Reboot. m. Select OK.
5.11.9 Harden a Switch Lab
You are the IT security administrator for a small corporate network. You need to increase the security on the switch in the networking closet. The following table lists the used and unused ports: Unused Ports: GE2 GE7 GE9-GE20 GE25 GE27-GE28 Used Ports: GE1 GE3-GE6 GE8 GE21-GE24 GE26 In this lab, your task is to: > Shut down the unused ports. > Configure the following Port Security settings for the used ports: - Interface Status: Lock - Learning Mode: Classic Lock - Action on Violation: Discard Complete this lab as follows: 1. Shut down the unused ports. a. Under Initial Setup, select Configure Port Settings. b. Select the GE2 port. c. Scroll down and select Edit. d. Under Administrative Status, select Down. e. Scroll down and select Apply. f. Select Close. g. With the GE2 port selected, scroll down and select Copy Settings. h. In the Copy configuration field, enter the remaining unused ports. i. Select Apply. *From the Port Setting Table, in the Port Status column, you can see that all the ports are down now. 2. Configure the Port Security settings. a. From the left menu, expand Security. b. Select Port Security. c. Select the GE1 port. d. Scroll down and select Edit. e. Under Interface Status, select Lock. f. Under Learning Mode, make sure Classic Lock is selected. g. Under Action on Violation, make sure Discard is selected. h. Select Apply. i. Select Close. j. Scroll down and select Copy Settings. k. Enter the remaining used ports l. Select Apply.
Ports in the Spanning Tree Protocol exist in one of five states:
> Blocking > Listening > Learning > Forwarding > Disabled
As you study this section, answer the following questions:
> How are switches indirectly involved in Address Resolution Protocol (ARP) poisoning? > How does the attacker hide his identity when performing media access control (MAC) address spoofing? > What is the function of a trunk port? > What is required for devices to communicate between VLANs? > How is port security different from port filtering? In this section, you will learn to: > Harden a switch. > Secure access to a switch. > Use best practices to ensure switch security.
Dynamic Host Configuration protocol (DHCP) snooping
A security feature on some switches that filters out untrusted DHCP messages.
Dynamic ARPInspection (DAI)
A security feature on some switches that verifies each ARP request has a valid IP to MAC binding.
Port authentication
A switch feature that follows the 802.1x protocol to allow only authenticated devices to connect.
MAC filtering/port security
A switch feature that restricts connection to a given port based on the MAC address.
Virtual LAN(VLAN)
A virtual LAN (VLAN) is a logical grouping of computers based on switch ports. > VLAN membership is configured by assigning a switch port to a VLAN. > A switch can have multiple VLANs configured on it, but each switch port can only be a member of a single VLAN (see exception described below). > VLANs can be defined on a single switch or configured on multiple interconnected switches. With multiple switches, each switch can be configured with the same VLANs, and devices on one switch can communicate with devices on other switches as long as they are members of the same VLAN. > A trunk port is used to connect two switches together. - Typically, Gigabit Ethernet ports are used for trunk ports, although any port can be a trunk port. - A trunk port is a member of all VLANs defined on a switch and carries traffic between the switches. - When trunking is used, frames that are sent over a trunk port are tagged by the first switch with the VLAN ID so that the receiving switch knows to which VLAN the frame belongs. - The Trunking Protocol describes the format that switches use for frame tagging with the VLAN ID. - Because end devices do not understand the VLAN tags, the tag is removed from the frame by the switch before the frame is forwarded to the destination device. - VLAN tagging is only used for frames that travel between switches on the trunk ports. > Using VLANs, the switch can be used to create multiple IP broadcast domains. Each VLAN is in its own broadcast domain, and broadcast traffic is sent only to members of the same VLAN. > In a typical configuration with multiple VLANs, workstations in one VLAN can not communicate with workstations in other VLANs. To enable inter-VLAN communication, you need to use a router (or an OSI Layer 3 switch).
ARP spoofing/poisoning
ARP spoofing/poisoning associates the attacker's MAC address with the IP address of victim's device. > When computers send an ARP request for the MAC address of a known IP address, the attacker's system responds with its MAC address. > The source device sends frames to the attacker's MAC address instead of the correct device. > Switches are indirectly involved in the attack because they do not verify the MAC address/IP address association. > A default gateway is a prime target because local traffic goes through a default gateway to get to non-local destinations such as the internet. > When the attacker's system MAC address receives packets intended for the default gateway, the attacker can: - Forward the packets to the actual default gateway ( passive sniffing). - Modify data in the packets before forwarding it ( man-in-the-middle).
ARP spoofing
An attack in which the attacker's MAC address is associated with the IP address of a target's device.
Double tagging
An attack in which the attacking host adds two VLAN tags instead of one to the header of the frames that it transmits.
VLAN hopping
An attack in which the source MAC address in changed on frames sent by the attacker.
MAC spoofing
An attack in which the source MAC address is changed in the header of a frame.
MAC flooding
An attack that overloads a switch's MAC forwarding table to make the switch function like a hub.
5.11.6 Spoof MAC Addresses with SMAC Lab
As an IT administrator, you need to know how security breaches are caused. You know that SMAC is used for MAC spoofing, so you are going to spoof your MAC address. In this lab, your task is to complete the following: > On Office2, use ipconfig /all and find the IP address and MAC address. > Using SMAC, spoof the MAC address on ITAdmin to match that of Office2. > Refresh the IP address on ITAdmin. > Verify the MAC and IP address now match Office2. Complete this lab as follows: 1. Find the MAC address for Office2. a. Right-click Start and then select Windows PowerShell (Admin). b. From the Command Prompt, type ipconfig /all and press Enter. c. Find the MAC address. 2. Spoof the MAC address. a. From the top navigation tabs, select Floor 1 Overview. b. Under IT Administration, select ITAdmin. c. In the Windows search bar, type SMAC. d. Under Best match, right-click SMAC and select Run as administrator. e. In the New Spoofed Mac Address field, type 00:00:55:55:44:15 (the MAC address from Office2). f. Select Update MAC. g. Select OK to confirm the adapter restart. 3. Renew the IP information for the ITAdmin computer. a. Right-click Start and select Windows PowerShell (Admin). b. From the Command Prompt, type ipconfig /renew to renew the IP address. c. Type ipconfig /all to confirm the MAC address and the IP address have been updated.
Implement Switch Security
Be aware of the following when implementing switch security: > Creating VLANs with switches offers many administrative benefits. For example, you can: > Create virtual LANs based on criteria such as workgroup, protocol, or service > Simplify device moves (devices are moved to new VLANs by modifying the port assignment) > Control broadcast traffic based on logical criteria (only devices in the same VLAN receive broadcast traffic) > Control security (isolate traffic within a VLAN) > When you use switches to create VLANs, you still need routers to: - Route data between VLANs - Provide port filtering. Port filtering filters network packets in and out of devices based on their application type or port number. - Route data into and out of the local area network > VLANs are commonly used with voice over IP (IP (VoIP) to distinguish voice traffic from data traffic. Traffic on the voice VLAN can be given a higher priority to ensure timely delivery. > MAC filtering uses the MAC address of a device to drop or forward frames through the switch. Port authentication requires that the user or device authenticates before frames are forwarded through the switch. > In general, all switch ports are enabled by default. To increase the security of the switch and network, you should disable individual ports that are not in use.