Campus Network Security

Attention has traditionally been paid to network perimeter security, such as firewall, and to mitigating Layer 3 attacks. However, networks must be protected against Layer 2 attacks, also. These are launched from devices inside the network by either a rogue device or a legitimate device that has been compromised. Rogue devices might be placed maliciously or might just be connected to an access switch by an employee wanting more switch port or wireless access. They include:

• Wireless routers or hubs
• Access switches
• Hubs

A switch might become the Spanning Tree root bridge, and disrupt user traffic. Use root guard and bpdu guard commands to prevent this.

There are four typical types of attacks against a switched network:

• MAC-based attacks, such as MAC address flooding

• VLAN-based attacks, such as VLAN hopping and attacks against devices on the same VLAN

• Spoofing attacks, such as DHCP spoofing, MAC spoofing, Address Resolution Protocol (ARP) spoofing, and Spanning Tree attacks

• Attacks against the switch, such as Cisco Discovery Protocol (CDP) manipulation, Telnet attacks, and Secure Shell (SSH) attacks

MAC Address Flooding

In a MAC address flooding attack, the attacker fills the switch’s Content Addressable Memory (CAM) table with invalid MAC addresses. After the table is full, all traffic with an address not in the table is flooded out all interfaces. This has two bad effects—more traffic on the LAN and more work for the switch. Additionally, the intruder’s traffic is also flooded, so they have access to more ports than they would normally have. After the attack stops, CAM entries age out and life returns to normal. However, meanwhile the attacker might have captured a significant amount of data.

Port security and port-based authentication can help mitigate MAC address attacks.


Port Security

Port security limits the number of MAC addresses allowed per port and can also limit which MAC addresses are allowed. Allowed MAC addressed can be manually configured or the switch can sticky learn them. Table 8-1 lists port security commands; these are given at the
interface.




Port-Based Authentication

802.1x authentication requires a computer (called a client) to be authenticated before it is allowed access to the LAN. This can be combined with port security to allow only authenticated clients with specified MAC addresses to access a port. When a computer connects to a switch port configured for 802.1x authentication, the following steps occur:

Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over LAN (EAPOL) traffic.

Step 2. The client connects to the port. The switch either requests authentication or the client sends an EAPOL frame to begin authentication.

Step 3. The switch relays authentication information between the client and a RADIUS server that acts in proxy for the client.

Step 4. If authentication succeeds, the port transitions to the authorized state, and normal LAN traffic is allowed through it.

Table 8-2 shows commands to configure 802.1x authentication on a switch.

Configuring VoIP Support on a Switch

Manual Configuration

To associate a voice VLAN with a switch port, use the following:

Switch(config-if)#switchport voice vlan vlan-ID


To configure an IOS switch to trust the markings on traffic entering an interface, use the following:

Switch(config-if)#mls qos trust {dscp | cos}


To configure the switch to trust the traffic markings only if a Cisco
phone is connected, use the following:

Switch(config-if)#mls qos trust device cisco-phone


To set a COS value for frames coming from a PC attached to the
phone, use the following:

Switch(config-if)#switchport priority extend cos cos-value


To verify the interface parameters, use the following:

Switch(config-if)#show interfaces interface switchport


To verify the QoS parameters on an interface, use the following:

Switch(config-if)#show mls qos interface interface


Using AutoQoS

When AutoQoS is enabled, the switch configures its interfaces based on a best-practices template. AutoQoS has the following benefits:

• Automatic discovery and classification of network applications.

• Creates QoS policies for those applications.

• Configures the switch to support Cisco IP phones as well as network applications. Manual configuration can be done afterward, also.

• Sets up SNMP traps for network reporting.

• Configures consistently across your network when used on all routers and switches.

CDP must be enabled for AutoQoS to function properly with Cisco IP phones.

AutoQoS commands for switches running the Catalyst OS are listed in Table 7-2.


AutoQoS commands for switches running Native IOS are shown in Table 7-3.

QoS for VoIP

QoS gives special treatment to certain traffic at the expense of others. Using QoS in the network has several advantages:

• Prioritizes access to resources, so that critical traffic can be served.

• Allows good management of network resources.

• Allows service to be tailored to network needs.

• Allows mission-critical applications to share the network with other data.

People sometimes think that there is no need for QoS strategies in a LAN. However, switch ports can experience congestion because of port speed mismatches, many people trying to access the switch backbone, and many people trying to send traffic to the same switch port (such as a server port).


QoS Actions

Three QoS strategies are commonly implemented on interfaces where traffic enters the switch:

• Classification—Distinguishing one type of traffic from another. After traffic is classified, other actions can be performed on it. Some classification methods include access lists, ingress interface, and NBAR.

• Marking—At layer 2, placing 802.1p class of service (CoS) value within the 802.1Q tag. At layer 3, setting IP Precedence or Differentiated Services Code Point (DSCP) values on the classified traffic.

• Policing—Determining whether or not a specific type of traffic is within preset bandwidth levels. If so, it is usually allowed and might be marked. If not, the traffic is typically marked or dropped. CAR and class-based policing are examples of policing techniques.

Other QoS techniques are typically used on outbound interfaces:

• Traffic shaping and conditioning—Attempts to send traffic out in a steady stream at a specified rate. Buffers traffic that goes above that rate and sends it when there is less traffic on the line.

• Queuing—After traffic is classified and marked, one way it can be given special treatment is to be put into different queues on the interface to be sent out at different rates and times. Some examples include priority queuing, weighted fair queuing, and custom queuing. The default queuing method for a switch port is FIFO.
  

• Dropping—Normally interface queues accept packets until they are full and then drop everything after that. You can implement prioritized dropping, so that less important packets are dropped before more important ones—such as with Weighted Random Early Detection (WRED).

DSCP Values

Differentiated services provide levels of service based on the value of certain bits in the IP or ISL header or the 802.1Q tag. Each hop along the way must be configured to treat the marked traffic the way you want—this is called per-hop behavior (PHB).

In the Layer 3 IP header, you use the 8-bit ToS field. You can set either IP Precedence using the top 3 bits or Differentiated Services Code Points (DSCP) using the top 6 bits of the field. The bottom 2 bits are set aside for congestion notification. The default DSCP value is zero, which corresponds to best-effort delivery.

The six DSCP bits can be broken down into two sections: The first 3 bits define the DiffServ Assured Forwarding (AF) class, and the next 2 bits define the drop probability within that class. The sixth bit is 0 and unused. AF classes 1–4 are defined, and within each class, 1 is low drop probability, 2 is medium, and 3 is high (meaning that traffic is more likely to get dropped if there is congestion). These are shown in Table 7-1. Each hop still needs to be configured for how to treat each AF class.



Voice bearer traffic uses an Expedited Forwarding value of DSCP 46 to give it higher priority within the network.


Trust Boundaries

When IP traffic comes in already marked, the switch has some options about how to handle it. It can:

• Trust the DSCP value in the incoming packet, if present.

• Trust the IP Precedence value in the incoming packet, if present.

• Trust the CoS value in the incoming frame, if present.

• Classify the traffic based on an IP access control list or a MAC

Mark traffic for QoS as close to the source as possible. If the source is an IP telephone, it can mark its own traffic. If not, the building access module switch can do the marking. If those are not under your control, you might need to mark at the distribution layer. Classifying and marking slows traffic flow, so do not do it at the core. All devices along the path should then be configured to trust the marking and provide a level of service based on it. The place where trusted marking is done is called the trust boundary.

VoIP in a Campus Network

Many companies are integrating Voice over IP (VoIP) into their networks. Figure 7-1 shows some components of a VoIP system, which can include the following:

• IP phones—Provide voice and applications to the user.

• Voice gateways—Translates between PSTN and IP calls and provides backup to the Cisco CallManager (IP PBX, or Call Agent).

• Gatekeepers—An optional component that can do call admission control, allocate bandwidth for calls, and resolve phone numbers into IP addresses.

• Cisco CallManager—Serves as an IP PBX. Registers phones, controls calls.

• Video conferencing unit—Allows voice and video in the same phone call.

• Multipoint control unit—Allows multiple participants to join an audio and/or video conference call.

• Application server—Provides services such as Unity voice mail.

Voice and data have different network requirements. Although TCP data adjusts to dropped packets, packet loss is one of the biggest enemies of voice transmissions and is often caused by jitter and congestion. Jitter (variable delay) causes buffer over- and under-runs. Congestion at the interface can be caused by traffic from a fast port being switched to exit out a slower port, which causes the transmit buffer to be overrun.

VoIP traffic consists of two types: voice bearer and call control signaling. Voice bearer traffic is carried over the UDP-based Real Time Protocol (RTP). Call control uses one of several different protocols to communicate between the phone and CallManager and between the CallManager and the voice gateways.


Preparing the Network for VoIP

When adding voice or video to an existing network, you should examine several things in advance to provide the high level of availability users expect in their phone system:

• What features are needed?—Power for IP phones, voice VLANs on the switches, network redundancy for high availability, security for voice calls, and Quality of Service (QoS) settings.

• The physical plant—Cabling at least CAT-5.

• Electrical power for the IP phones—Use either inline power from Catalyst switch or power patch panel. Need uninterruptible power supply (UPS) with auto-restart, monitoring, and 4-hour response contract. May need generator backup. Maintain correct operating temperatures.

• Bandwidth—Commit no more than 75 percent of bandwidth. Consider all types of traffic—voice, video, and data. Have more than enough bandwidth if possible. Include both voice and callcontrol traffic in your planning.

• Network management—Need to monitor and proactively manage the network so that it does not go down.

Network and Bandwidth Considerations

The network requirements for VoIP include:

• Maximum delay of 150–200 ms (one-way)
• No more than 1 percent packet loss
• Maximum average jitter of 30 ms
• Bandwidth of 21–106 kbps per call, plus about 150 bps per phone for control traffic

A formula to use when calculating bandwidth needed for voice calls is as follows:

(Packet payload + all headers) * Packet rate per second


Auxiliary (or Voice) VLANs

Cisco switches can be configured to dynamically place IP telephones into a VLAN separate from the data VLANs. They can do this even when the phone and PC are physically connected to the same switch port. This is called an auxiliary VLAN or a voice VLAN. Voice VLANs allow phones to be dynamically placed in a separate IP subnet from hosts, to have QoS (using 802.1Q/p headers) and security policies applied, and makes troubleshooting easier.

Wireless LAN Antennas

Several concepts are important in understanding wireless antennas:

• Gain—The energy an antenna adds to the RF signal.

• Directionality—How the radio coverage is distributed.

• Polarization—The physical orientation the RF element. Cisco Aironet antennas use vertical polarization.

• Multipath Distortion—Receiving both direct and reflected signals arriving from different directions.

• Effective Isotropic Radiated Power (EIRP)—The AP radio’s effective transmission power. Includes gain from the antenna and loss from the antenna’s cable.

Gain
Cisco measures gain in dBi, which stands for decibel isotropic and is a measure of decibels relative to an isotropic source in free space. A decibel is the ratio between two signal levels. An isotropic antenna is a theoretical one in which the signal spreads out evenly in all directions from one point. Thus, dBi is the ratio of an antenna’s signal to that of an isotropic antenna.

Directionality

Omnidirectional antennas have signals that theoretically extend in all directions, both vertically and horizontally. When gain in increased, the signal expands horizontally, but decreases vertically. One omnidirectional example is the dipole “Rubber Duck” antenna.

Directional antennas aim their signal in a specific direction. Signals can spread fairly wide in one direction or can be narrowly focused. Some examples include the Diversity Patch Wall Mount Antenna, Yagi, and dish antennas.

Multipath Distortion

Because radio waves are transmitted in many directions, not all go in a straight line to every client’s antenna. Some bounce off walls or other objects and arrive at the client in varying intervals. Thus, the client receives several copies of the same RF signal, which can cause degraded data quality. This is multipath distortion, or multipath interference. Diversity systems try to minimize this by using two antennas; you might try moving antennas or changing the frequency if this is a problem in your facility. OFDM uses multiple frequencies operating together to increase performance in multipath situations.


EIRP

EIRP is the actual power of the signal that comes from the antenna, measured in Decibel Milliwatts (dBm). (0 dBm equals 1 milliwatt of power.) EIRP is calculated by taking the transmitter power, subtracting the amount of signal lost traversing the cable between the transmitter and antenna, and adding the antenna’s gain. This can be expressed:

EIRP = (power – cable loss) + antenna gain.

Different countries have different rules about the amount of EIRP allowed. For instance, the maximum in the United States is 36 dBm. To minimize signal loss, use the shortest low-loss cable possible. Wider cables conserve more signal but are also more expensive.


Power over Ethernet (PoE) Switches

Access points can receive their power over Ethernet cables from Power over Ethernet (PoE) switches, routers with PoE switch modules, or midspan power injectors, thus alleviating the need for electrical outlets near them. APs require up to 15W of power, so plan your power budget accordingly. Two power standards are the Cisco Prestandard PoE and the IEEE’s 802.3af standard. Both have a method for sensing that a powered device is connected to the port. 802.3af specifies a method for determining the amount of power needed by the device. Cisco devices, when connected to Cisco switches, can additionally use CDP to send that information. Power can be supplied over the data pairs—1, 2, 3, and 6—or over the unused pairs of 4, 5, 7, and 8.

Cisco PoE switches are configured by default to automatically detect and provide power. To disable this function, or to re-enable it, use the interface command power inline {never | auto}. To view interfaces and the power allotted to each, use show power inline [interface].


Configuring Wireless LAN Devices

Autonomous APs must be configured individually, while the WLC provides configuration to lightweight APs. WLAN clients must also be configured; this process varies depending on the client software used.

Configuring Autonomous Access Points

Autonomous APs can be configured in one of three ways:

• IOS Command Line—Either via Telnet or the console port.

• Web browser—This is the Cisco preferred way.

• CiscoWorks WLSE—For centralized configuration control.

The AP must already have an IP address to use any of these except the console port. It attempts to obtain one via DHCP by default. This link has directions and screen shots for both the command line and web browser configuration:

http://www.cisco.com/en/US/products/ps6087/products_installation_ and_configuration_guides_list.html.

Aironet 1100, 1200, and 1300 series APs perform various functions:

• Wireless AP

• Root bridge

• Nonroot bridge

• Repeater

• Scanner

• Workgroup bridge

Configuring a WLAN Controller

Cisco lightweight APs receive their configuration from the Wireless LAN Controller, which must be configured first. Initial configuration of the lightweight WLC can be done via command line using the console port or via web browser using the service port. Subsequent configuration can be done via:

• IOS Command Line—Either by Telnet, SSH, or the console port.

• Web browser—Using the WLC’s IP address and Internet Explorer.

• Cisco Wireless Control System—For centralized configuration control.

You need to configure the WLC with information such as VLANs, SSIDs, and security policies. It downloads a configuration to its associated APs, and you can also configure, monitor, or reset individual APs through the web browser of the WLC. Review the material at this link
for screen shots and WLC configuration information:
http://www.cisco.com/en/US/products/ps6366/products_configuration_
guide_book09186a00806b0077.html.

WLCs use several different types of physical and logical interfaces that are described in Table 6-2.

Cisco Wireless Network Components

This section is mainly concerned with Cisco products and is quite marketing oriented. Cisco supported two types of wireless solutions: one using autonomous access points, and one using lightweight (or “dumb”) access points in combination with WLAN controllers. The wired network infrastructure is the same for both types: switches and routers.


Cisco Unified Wireless Network

The Cisco Unified Wireless Network concept has five components that work together to create a complete network, from client devices to network infrastructure, to network applications. Cisco has equipment appropriate to each component. Table 6-1 lists components and equipment.


Cisco has a wireless NIC that can be installed on Windows 2000 and Windows XP systems. It comes with some utilities: Aironet Desktop Utility (ADU), Aironet Client Monitor (ACM), and Aironet Client Administration Utility (ACAU). Cisco recommends using the ADU and ACM utilities to control your wireless card, rather than the built-in Windows controls to get the increased functionality Cisco provides. The Cisco ACAU allows loading and configuration of the Cisco client software over the network, using encrypted files. There is also an Aironet Site Survey Utility to scan for APs and get information about them.

Cisco wireless IP phones have the same features as Cisco wired IP phones and can use LEAP for authentication.

The Cisco Compatible Extensions Program tests other vendors’ devices for compatibility with Cisco wireless products. Using products certified by this program ensures full functionality of Cisco enhancements and proprietary extensions. A list of these products can be found at www.cisco.com/go/ciscocompatible/wireless.


Autonomous APs

Autonomous APs run Cisco IOS, are programmed individually, and act independently. They can be centrally managed with the CiscoWorks Wireless LAN Solution Engine (WLSE) and can use Cisco Secure Access Control Server (ACS) for RADIUS and TACAS+ authentication. Redundancy consists of multiple APs.


Lightweight Access Points

Lightweight APs divide the 802.11 processing between the AP and a Cisco Wireless LAN Controller (WLC). This is sometimes called “split MAC,” because they split the functions of the MAC layer—Layer 2. Their management components also include the Wireless Control
System (WCS) and a location-tracking appliance. Redundancy consists of multiple WLCs. The AP handles real-time processes, and the WLC handles processes such as:

• Authentication

• Client association/mobility management

• Security management

• QoS policies

• VLAN tagging

• Forwarding of user traffic

The Lightweight Access Point Protocol (LWAP) supports the split MAC function in traffic between a lightweight AP and its controller. LWAP uses AES-encrypted control messages and encapsulates, but does not encrypt, data traffic. LWAP operates at Layer 2, and also at
Layer 3 over UDP. (However, Layer 2 operation has been deprecated by Cisco.) The controller can be either in the same broadcast domain and IP subnet or in a different broadcast domain and IP subnets for Layer 3 operation. The AP follows this process to discover its controller:

Step 1. The AP requests a DHCP address. The DHCP response includes the management IP address of one or more WLCs.

Step 2. The AP sends an LWAPP Discovery Request message to each WLC.

Step 3. The WLCs respond with an LWAPP Discovery Response that includes the number of APs currently associated to it.

Step 4. The AP sends a Join Request to the WLC with the fewest APs associated to it.

Step 5. The WLC responds with a Join Response message, the AP and the controller mutually authenticate each other and derive encryption keys to be used with future control messages. The WLC then configures the AP with settings, such as SSIDs, channels, security settings, and 802.11 parameters.

The Cisco Aironet 2000 series WLC can handle up to six APs; thus, it is sized for small- to medium-sized operations.

The Cisco Aironet 4400 series WLC supports medium to large facilities with the 4402 handling up to 50 APs, and the 4404 handling up to 100 APs.

WLAN Standards

WLANs use three unlicensed frequency bands: 900 MHz, 2.4 GHz, and 5 GHz. These bands are all in the Industrial, Scientific, and Medical (ISM) frequency range. Higher frequency bands allow greater bandwidth, but have smaller transmission ranges. Within all bands, the data rate decreases as the client moves away from the AP.


802.11b Standard

802.11b is a widely adopted standard that operates in the 2.4 GHz range and uses Direct Sequence Spread Spectrum (DSSS). It has four data rates: 1, 2, 5.5, and 11 Mbps. 802.11b provides from 11–14 channels, depending on country standards, but only three channels have nonoverlapping frequencies: 1, 6, and 11. Cisco recommends a maximum of 25 users per cell; expect an actual peak throughput of about 6.8 Mbps.


802.11a Standard

802.11a operates in the 5 GHz range and uses Orthogonal Frequency- Division Multiplexing (OFDM). It has eight data rates: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. 802.11a provides from 12–23 nonoverlapping channels, depending on country regulations. Portions of the 5 GHz range are allocated to radar, so 802.11a uses Dynamic Frequency Selection (DFS) to check for radar signals and choose a different channel if it detects them. It also uses Transmit Power Control (TMC) to adjust client power, so that they use only enough to stay in contact with the AP. DFS and TMC are part of the 802.11h specification. Cisco recommends a maximum of 15 users per cell; expect an actual peak throughput of about 32 Mbps.


802.11g Standard

802.11g operates in the same 2.4 GHz range as 802.11b and uses the same three nonoverlapping channels: 1, 6, and 11. It can provide higher data rates; however. 802.11g uses DSSS to provide 1, 2, 5.5, and 11 Mbps throughput, which makes it backward compatible with 802.11b. It uses OFDM to provide 6, 9, 12, 18, 24, 36, 48, and 54 Mbps throughput, as does 802.11a.

802.11b/g access points can register both 802.11b and 802.11g clients. Because 802.11b clients do not understand OFDM messages, when 802.11b clients register, the AP implements an RTS/CTS protection mechanism against collisions. When a client wants to talk, it sends an RTS message. The AP must answer with a CTS message before the client is allowed to transmit. This creates overhead for the AP and causes a drop in overall throughput for all clients. Cisco recommends a maximum of 20 users per cell; expect an actual peak throughput of about 32 Mbps.


Wireless Security

Wireless security methods, listed from weakest to strongest, include:

• Wired Equivalent Privacy (WEP)—It uses static keys, weak authentication, and is not scalable. n 802.1x Extensible Authentication Protocol (EAP)—Uses RADIUS for authentication, dynamic keys, and stronger encryption. Cisco supports it via Lightweight EAP (LEAP) and Protected EAP (PEAP).

• Wi-Fi Protected Access (WPA)—This is a Wi-Fi Alliance standard. Uses Temporal Key Integrity Protocol (TKIP) for encryption, dynamic keys, and 802.1x user authentication. Cisco supports it via Lightweight EAP (LEAP), Protected EAP (PEAP), and Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST).

• WPA2—The Wi-Fi Alliance’s implementation of the 802.11i standard, which specifies the use of Advanced Encryption Standard (AES) for data encryption and uses 802.1x authentication methods. Can also use TKIP encryption.

WPA/WPA2 Authentication

When a host wanting WLAN access needs to be authenticated in a network using WPA or WPA2, the following steps occur:

Step 1. An 802.1x/EAP supplicant on the host contacts the AP (or WLAN controller, if it is a lightweight AP) using 802.1x.

Step 2. The AP or WLAN controller uses RADIUS to contact the AAA server, and attempts to authentication the user.

Step 3. If the authentication succeeds, all traffic from the client to the AP is encrypted.