16 - Campus Security - STP Attacks and Other Security Considerations

Alot of this i already covered in the CCNA-S exam, so some brief notes:

there is nothing to stop someone bring in there own switch and becoming root bridge of the network,

so we have 2 major features:

any port set for port-fast, should be set as bpdu-guard - if it detects a bpdu

it will shut down the port (as we have declard this a port-fast ie a host, there shold

not be any bpdu's)

To enable this:

inter fas0/1

spanning-tree bpduguard enable

enable same way as you would any port-security feat ..... shut, no shut

Also have a system for the good ports - to prevent a mis-configured switch from becoming the root.

We can enable root-guard

on any port connected to a switch that is NOT to become a root, this feature you would

only enable on the root switch and/or backup root switch.

inter fa0/2

spanning-tree guard root

means there will never be a switch that connects to this port, will ever become the root

but when it shuts down a port it doesn't go into err-disable, it becomes a inconstant port

17 - Campus Security - VACLs

VACL - can also redirect traffic! - more common use for using vacl

3550

only allow you to permit and deny, whereas the 6500

it could:

match this subnet and redirect it to an IPS sensor/blade etc

vlan 10

vlan 30

very similar to route-maps .... sequencing etc

access-list 10

permit 10.1.10.0 0.0.0.255

mac access-list extended SERVER

permit any host 1111.1111.2222

access-list 30

permit 10.1.30.0 0.0.0.255

vlan access-map <NAME> demo <seq number>

match ip address 10

action forward

vlan access-map demo 20

action drop

As you can see very simialar to route-map (match and set etc)

NOW TO APPLY IT

vlan filter demo vlan-list 10 (can use - or commons etc)

vlan access-map demo1 10

match ip address 30

action forward

vlan access-map demo1 20

action drop

vlan filter demo1 vlan-list 30 

SO as you can see, its a simple demo, BUT you can use extended access-lists and combine

them all together in the vlan access-maps

PACLs

access-list applied to a port (Layer2, ie no no switchport, otherwise its just an ACL on a port)

can only be applied inbound (like the asic of the switch)

int fa0/3

ip access-group 1 in

or do mac access-group <name> in

15 - Campus Security - VLAN and Spoofing Attacks

remember every port by default is set to "switchport mode dynamic desirable"

if switch sees another trunk then dynamic desirable will become trunk, but from intruders perspective it is not good, well for him it is, but for us it is not! as he has now trunked with our switch and he can see all VLANs and move himself into our VoIP VLAN and start a packet sniffer etc.

SO simple but effect, hard-code them access ports!

SO what are PVLANS?


There are vlans with vlans

You have a primary vlan - defines the subnet and is a vlan
with vlan 5 we can add sub vlans

so we can now isolate these sub vlans betweem themselves.

3 types of sub vlans/ports


Lets look at the below scenario:


FTP server as an isolated port (port that is in the vlan but cannot speak to anyone else in the vlan, so how does it reach the DG etc, well we configure the route port as a promiscous port (can be reach by anything within the private vlan - sub vlans)


community port
so www and sql can be in this in this port, which is truly a subvlan, can reach over things within the community and reach the promiscuous port (DG)

So if the FTP gets comprimised it cannot reach any other hosts/clients/servers

So going back to the original diagram (with Jeremy and his cable modem) we can make each port an isolated port and the router out (DG) will be a promiscuous port - very powerful stuff

So PVLANS provide isolation and segmentation within 1 VLAN


Right lets lab this:

The FTP will be isolated from the Community ports but can talk to the Prom port,
the Community ports can talk to the Prom port but not the Isolated port.



1 primary/parent VLAN which in our case will be vlan200
a vlan = subnet

pvlans will be part of the primary/subnet
Can only have 1 isolated VLAN per Primary, but you can have many ports in that isolated vlan
(so you could have loads of servers in the isolated vlan, which cannot talk to each other)


*note to self 3950 does not support pvlans*

PVLANS can only be configured on VTP transparent mode

CONFIGURATION

vtp mode transparent

vlan 200
private-vlan primary

vlan 205
private-vlan community

vlan 210
private-vlan isolated

So now i need to associate these vlans with the primary

vlan 200
private-vlan association 205,210

Next part will be assigning ports:


inter fa4/24
switchport mode private-vlan host 
switchport mode private-vlan host-association <primary vlan> <secondary vlan/sub vlan>

so in our case

switchport mode private-vlan host-association 200 205

int fa4/25
switchport mode private-vlan host 
switchport mode private-vlan host-association 200 205


int fa4/26
switchport mode private-vlan host 
switchport mode private-vlan host-association 200 

Now lets setup the Promiscuous port, we need to configure the private-vlan mappings, so we need to
tell the port which of the ports it will be talking to, first we define the primary vlan then the sub vlans.

int fa4/26
switchport mode private-vlan promiscuous 
switchport private-vlan mapping 200 205,210

lets confirm:

So if this is the first time that the client and the server have spoken, an ARP asking for the server MAC will be sent out, the attacker can then reply back with the MAC of his PC, the attacker can then forward off the traffic to the server .... so no one is none the wiser.

dhcp snooping also helps protect from ARP attacks (DAI) - as covered in the CCNA-S (so brief notes as covered before)

enable via

ip dhcp snooping

configure the trusted ports with 

ip dhcp snooping trust

this database can then track IP bindings (the DHCP requests/replies)

it will build a database that the DAI feature can use.

it can be seen via

show ip dhcp snooping binding

port can then be shutdown if a violation occurs.

3750 etc have ip source guard (which is one step up from DAI) it watches the dhcp reply and then creates

an access list for that port that only allows that IP/MAC coming in on that port.

however if you have alot of clients your switch can take a performance hit and it might end of switching over to software switching  ....

go under the port:

ip verify source vlan dhcp snoopingport-security

13 - Redundancy in the Campus - HSRP, VRRP, and GLBP 2

One other difference between VRRP and the other 2 protocols in regards to timers is that the master down interval (hold timer) is not configurable.  Instead, VRRP uses a value of 3 times the hello timer + the skew time as the master down interval.  The skew time is calculated as ((256 – VRRP priority) / 256), which will result in higher priority routers having a shorter skew time and master down interval.

For this lab, we will have to do it on the 2800, as VRRP is not supported on the 3550 ... (maybe another reason to run HRSP as that is supported on all cisco platforms)

VERY SIMILAR TO HRSP:

inter fa0/0

vrrp 20 ip 172.30.4.90

vrrp 20 preempt

vrrp 20 timers advertise msec 100

Dont have option to set dead timer like we did with HRSP, it will learn the timer from the hello timer

timers that are set on the MASTER - so on the MASTER we set advertise, and the backup hosts are configured as learn and they will learn this dynamically.

If MASTER notices if one of its tracked interfaces is down, it will set its priority to zero

server 1 = wants to send traffic, sends arp for VIP, router 1 gets arp request, he sends the mac addy,

server 2 = wants to send traffic, sends arp for VIP, router 2 gets arp request and passes to the AVG, but when he replies he replies with the MAC of R2.

Also R2 is now known as the AVF

The load balancing can be round robin, host dependent or weighted (equal or unequal) - is it true load-balancing ... well no, but it is a type of load balancing (it doesn't sit there idle) 

for other weighing (ie not the default round robin) you have to configure quite abit of options (not covered in NP)

Config very similar as others:

inter fa0/0

glbp 1 ip 172.30.4.70

glbp 1 priority 150 (to set who is AVG) higher = better, default is 100

glbp 1 timers 

supports IPv6 also!

14 - Campus Security - Basic Port Security and 802.1x

part of dsniff is macof which sources many, many MACs to that uplink which saturates that CAM table, which then turns the switch into a hub (as no more MACs can be learnt) now everything is braodcast, you can packet sniff it ;0)

most attacks focus on poisoning the MAC tables

See screenshot of when i used MACOF against my 2950 when study for the CCNA-S, check out the 8000+ MACs learnt by the switch! lol

conf t
inter fas0/21
switchport mode access
switchport port-security
switchport port-security maximum 1


show port-security inter fas0/21 to verify

switchport port-security violation
shutdown - your gonna hear about it, good choice to choose
restrict - does the same as protect, but the security violation counter will increase and will generate a SYSLOG event.
protect - when another MAC tries to connect, it will ignore them (but you the admin and user dont know about it)


state of the port goes into secure-shutdown, check in show ip int brief (shows as down/down)
Handy command to view this is:

we just saw security-violation, so lets configure that:

conf t
errdisable recovery cause security-violation
errdisable recovery interval X (secs)

pretty kool huh .... :0)


show port-security interface fa 0/21 to see the security information and counters

conf t
inter fas 0/21
switchport port-security max 10
switchport port-security mac-address *static IP*

BUT DO CONFIG as we have above the max macs allowed too, but be careful as it works a mix, i.e
it will allow the x1 MAC we configured plus 9 sticky ones. So configure as appropriate.

or we can do this with sticky macs


switchport port-security mac-address sticky

the switch will automatically hard-coded whatever device you have plugged into that switchport,

you need to save the config to nvram otherwise the configure will not be saved, also if we plug in another device you can see the running configure shows that mac also :0)

if these are the only two devices, we can then lower the maximum down to 2, job done lol

802.1x

Authenticator does not need to understand EAP, it is transparent in the process, so if at a later date we used a different security algorithm we dont have to upgrade the switch. 


handy link:
http://www.cs.umd.edu/~mvanopst/8021x/howto/

To configure on the switch, we need AAA and to enable 802.1x globally:

12 - Redundancy in the Campus - HSRP, VRRP, and GLBP 1

However you can tweak the timers to be just as good as VRRP, so the only thing against it is the fact it is only for cisco.

So first, lets jump on switch A (70.2)

Switch A
inter vlan 70
standby 1 ip 172.30.70.1
standby 1 priority 150  (default 100, HIGHER is better!)..otherwise relies on IP to break tie


Switch C
inter vlan 70
standby 1 ip 172.30.70.1

Lets jump on the client/host
and we can now ping 172.30.70.1 :0)
also if we telnet to 70.1 we land on SwitchA - just as you would expect what with the higher priority (its ACTIVE)

lets test it out, lets pull out the uplink between the switches,

Ah, so HRSP kicked in, lets check the switch, if we now telnet to the VIP address, we land on Switch C

BUT, notice if we patch Switch A back in, Switch C is STILL the active switch, even though Switch A has the higher priority ... its kinda a 1 deal fail over really, when Switch C fails it will then failover to Switch A

We can tweak HRSP with these commands:

Priority we know, however with preempt we can fix the issue above:


Switch A

inter vlan 70
standby 1 preempt

This will overthrow the lower priority Switch straightaway, once the command is entered.



Tracking is configured with Preempt, they go hand in hand as when it detects the interface has gone down it will then decrement its priority, it then needs the preempt feature to then over throw the current Switch

Lets setup the above:

SWITCH A
has priority of 150 and will decrement 60 to 90 if the interface goes down, therefore allowing Switch C to be ACTIVE



Switch C
inter vlan 70
standby 1 preempt


Switch A
inter vlan 70
standby 1 track fas 0/23 60


Right lets ull the uplink:

WOW! no loss! lets check at SWITCH C is ACTIVE

Notice the STANDBY router has a priority of 90! as it took 60 off for the interface going down because of the tracker

We can also tweak it with Delay:

Lets tune them timers! notice we can get tweak this to be the same as VRRP, BUT why do that when we can get into milli-seconds!!!

Now we can re-converge faster than 1 second!!! might just want to keep an eye on processor cycle on both the switches (so there will be interrupts to the processor for that)

11 - L3 Switching - Understanding CEF Optimization

A foundation look at what exactly CEF is and how it works:

When switch boots up, everything has to be learnt (routes etc) this is then copied down to the FIB

FIB = Forwarding Information Base (Which is a high speed cache in the ASIC)

The ADJ table holds all the Layer 2 information (Mac etc)

Now once the switch has booted up, the switch proactivly checks all the routes in the FIB and then finds all the MAC addresses for the next hop addresses (upstream routers/L3/static etc)

So by the time this switch/router is ready to forward packets it already has the entire routing table cached and it has all the ARP mappings/next hop MAC addresses.

So now when a packet comes into the router/switch it comes straight into the hardware, looks at hardware cache /routing table, has MAC already, swaps the header and out it goes at WIRE SPEED at LAYER 3!

So all inter-vlan traffic, routed ports and routing all happens in CEF at wire speed. Major advantage

Now days all L3 switches come with CEF enabled by default, meaning you have to disable it if you dont want it.

to enable

conf t

ip cef

handy command/feature to find bandwidth hogs (ip cef traffic-statistics)

You can run the command on the VLANS,:

so the switch has all these prefixes/routes in its FIB, also if we check the ARP table we can see this has been

moved in the adjacency table for CEF, 

So when copying data from one host to another in different VLANS, we dont need an routing lookups (we have it all already), it has it all already and off it goes!