Topologi
Objectives
- Secure the Layer 2 network against MAC flood attacks.
- Prevent DHCP spoofing attacks.
- Prevent unauthorized access to the network using AAA and 802.1X.
Background
A fellow network engineer that you have known and trusted for many years has invited you to lunch this week. At lunch, he brings up the subject of network security and how two of his former co-workers had been arrested for using different Layer 2 attack techniques to gather data from other users in the office for their own personal gain in their careers and finances. The story shocks you because you have always known your friend to be very cautious with security on his network. His story makes you realize that your business network has been cautious with external threats, Layer 3–7 security, firewalls at the borders, and so on, but insufficient at Layer 2 security and protection inside the local network. When you get back to the office, you meet with your boss to discuss your concerns. After reviewing the company’s security policies, you begin to work on a Layer 2 security policy. First, you establish which network threats you are concerned about and then put together an action plan to mitigate these threats. While researching these threats, you learn about other potential threats to Layer 2 switches that might not be malicious but could threaten network stability. You decide to include these threats in the policies as well. Other security measures need to be put in place to further secure the network, but you begin with configuring the switches against a few specific types of attacks, including MAC flood attacks, DHCP spoofing attacks, and unauthorized access to the local network. You plan to test the configurations in a lab environment before placing them into production.
Genomförande
Hoppar återigen över grundkonfigen för att få upp Port-channels/Trunking/VLAns, se tidigare inlägg för detta. Vi börjar med att sätta upp HSRP mellan S1 & S3. S1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
S1(config)#int vlan 1
S1(config-if)#ip add 172.16.1.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.1.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 100
S1(config-if)#ip add 172.16.100.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.100.1
S1(config-if)#standby 1 priority 150
S1(config-if)#standby 1 preempt
S1(config-if)#
S1(config-if)#int vlan 200
S1(config-if)#ip add 172.16.200.10 255.255.255.0
S1(config-if)#standby 1 ip 172.16.200.1
S1(config-if)#standby 1 priority 100
S1(config-if)#standby 1 preempt
S1(config-if)#end
S3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
S3(config)#int vlan 1
S3(config-if)#ip add 172.16.1.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.1.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 100
S3(config-if)#ip add 172.16.100.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.100.1
S3(config-if)#standby 1 priority 100
S3(config-if)#standby 1 preempt
S3(config-if)#
S3(config-if)#int vlan 200
S3(config-if)#ip add 172.16.200.30 255.255.255.0
S3(config-if)#standby 1 ip 172.16.200.1
S3(config-if)#standby 1 priority 150
S3(config-if)#standby 1 preempt
S3(config-if)#
S1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1
Nästa uppgift var att säkra vårat nät mot DHCP-spoofing attacker. För att lyckas med detta kan vi använda oss av “dhcp snooping”. Då endast S2 är access-layer switch med användare inkopplade behöver vi bara konfa snooping där. S2
1
2
3
4
S2(config)#!Aktiverar DHCP-snooping funktionen
S2(config)#ip dhcp snooping
S2(config)#!Startar DHCP-snooping för vlan 100 & 200
S2(config)#ip dhcp snooping vlan 100,200
Alla portar räknas som per default untrusted, dvs får EJ skicka DHCPOFFERs & DHCPACKs. Vi måste därför konfigurera trusted där vi har vår DHCP-server. I detta fall har vi ingen lokalt på lanet, därför sätter vi trunk-portarna till trusted.
1
2
S2(config)#inte range fa0/1 - 4 , po1 - 2
S2(config-if-range)#ip dhcp snooping trust
Vi kan verifiera vår konfig med “sh ip dhcp snooping”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
S2#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100,200
DHCP snooping is operational on following VLANs:
100,200
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Int
*Mar 1 02:14:22.416: %SYS-5-CONFIG_I: Configured from console by consoleerface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 yes unlimited
FastEthernet0/3 yes unlimited
FastEthernet0/4 yes unlimited
Port-channel1 yes unlimited
Port-channel2 yes unlimited
MAC-flood attacker blir bara lite repetition från CCNA, genom att begränsa antal mac-adresser en port kan lära sig behöver vi inte vara rädda för att råka ut för cam-table overflow. Även här behöver vi endast konfa S2 då det är den enda switchen i access-layer.
1
2
3
4
5
6
7
8
S2(config)#int range fa0/6 - 20
S2(config-if-range)#switchport mode access
S2(config-if-range)#switchport access vlan 100
S2(config-if-range)#switchport port-security
S2(config-if-range)#switchport port-security max 2
S2(config-if-range)#switchport port-security mac-address sticky
S2(config-if-range)#spanning-tree portfast
S2(config-if-range)#spanning-tree bpduguard enable
Detta gör att switchen endast kan lära sig max 2st mac-adresser per interface (2x15 = 30 mac-adresser). För att begränsa access till nätet är ett alternativ att använda oss av 802.1x, vilket kräver att användarna autentiserar sig innan porten slår över till forwarding. Mer info om dot1x finns att läsa här.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
S2(config)#aaa new-model
S2(config)#!Autentiserar anvandare mot anvandardatabasen som ligger lokalt pa switchen
S2(config)#aaa authentication dot1x default local
S2(config)#!aktiverar dot1x
S2(config)#dot1x system-auth-control
S2(config)#!skapar anvndare
S2(config)#username admin1 password cisco
S2(config)#username user1 password cisco
S2(config)#username user2 password cisco
S2(config)#inte range fa0/6 - 20
S2(config-if-range)#!aktiverar dot1x-autentisering pa interfacen
S2(config-if-range)#dot1x port-control auto
S2(config-if-range)#
*Mar 1 02:28:23.114: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/11, changed state to down
*Mar 1 02:28:23.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down
Observera att både Fa0/11 & Fa0/18 genast gick ner efter vi la in konfigen, detta pga användarna ej är autentiserade ännu.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
S2#sh dot1x interface fa0/11
Dot1x Info for FastEthernet0/11
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Rekommenderat är dock att koppla autentiseringen mot en extern RADIUS-server istället.