Sunday, January 2, 2011

Campus Network Security

Attention has traditionally been paid to network perimeter security, such as firewall, and to mitigating Layer 3 attacks. However, networks must be protected against Layer 2 attacks, also. These are launched from devices inside the network by either a rogue device or a legitimate device that has been compromised. Rogue devices might be placed maliciously or might just be connected to an access switch by an employee wanting more switch port or wireless access. They include:
  • Wireless routers or hubs
  • Access switches
  • Hubs
A switch might become the Spanning Tree root bridge, and disrupt user traffic. Use root guard and bpdu guard commands to prevent this.

There are four typical types of attacks against a switched network:
  • MAC-based attacks, such as MAC address flooding
  • VLAN-based attacks, such as VLAN hopping and attacks against devices on the same VLAN
  • Spoofing attacks, such as DHCP spoofing, MAC spoofing, Address Resolution Protocol (ARP) spoofing, and Spanning Tree attacks
  • Attacks against the switch, such as Cisco Discovery Protocol (CDP) manipulation, Telnet attacks, and Secure Shell (SSH) attacks

MAC Address Flooding

In a MAC address flooding attack, the attacker fills the switch’s Content Addressable Memory (CAM) table with invalid MAC addresses. After the table is full, all traffic with an address not in the table is flooded out all interfaces. This has two bad effects—more traffic on the LAN and more work for the switch. Additionally, the intruder’s traffic is also flooded, so they have access to more ports than they would normally have. After the attack stops, CAM entries age out and life returns to normal. However, meanwhile the attacker might have captured a significant amount of data.

Port security and port-based authentication can help mitigate MAC address attacks.


Port Security

Port security limits the number of MAC addresses allowed per port and can also limit which MAC addresses are allowed. Allowed MAC addressed can be manually configured or the switch can sticky learn them. Table 8-1 lists port security commands; these are given at the
interface.




Port-Based Authentication

802.1x authentication requires a computer (called a client) to be authenticated before it is allowed access to the LAN. This can be combined with port security to allow only authenticated clients with specified MAC addresses to access a port. When a computer connects to a switch port configured for 802.1x authentication, the following steps occur:

Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over LAN (EAPOL) traffic.

Step 2. The client connects to the port. The switch either requests authentication or the client sends an EAPOL frame to begin authentication.

Step 3. The switch relays authentication information between the client and a RADIUS server that acts in proxy for the client.

Step 4. If authentication succeeds, the port transitions to the authorized state, and normal LAN traffic is allowed through it.

Table 8-2 shows commands to configure 802.1x authentication on a switch.