Security Best Practices in Catalyst Campus Switches Mike Peeters SE Toronto PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 1 Agenda • Security Myths • Management Channels • VLAN Isolation • Known Attacks • Secure Switch Configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2 Security Myths • MAC addresses cannot be spoofed • A Switch protects against sniffers • VLANs are completely isolated PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 3 Agenda • Security Myths • Management Channels • VLAN Isolation • Known Attacks • Secure Switch Configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 4 Management Channels • Telnet: for command line interface • SNMP: to read/write data from/to the switch • VTP: VLAN Trunking Protocol • VQP for VMPS Virtual Membership Policy Server • CDP: Cisco Discovery Protocol PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 5 Using a Out of Band Management • Cat 4000 has a dedicated physical Ethernet port for management can be put in a separate VLAN or even to another physical LAN • Cat 5k & Cat 6K have a logical Ethernet port for management MUST be put in a VLAN this should be a dedicated VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 6 Out of Band Management (Cont.) Management Inbound ACL VLAN or LAN deny nms any Outbound ACL permit any any permit nms any deny any any WAN Inbound ACL Inbound ACL deny nms any permit nms any Network Management permit any any deny any any • Use topological ACL to prevent IP spoofing for the management VLAN • IPSec tunnel can provide authentication & confidentiality on the WAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 7 Management Channels: Telnet • Telnet can give access to the command line from remote ( passwords are sent in clear text) • two passwords: login password enable password PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 8 Management Channel: SSH • On Cat 4K, 6K with CatOS 6.1 (or IOS 12.1(6)E) SSH can be used to replace Telnet • On Cat 2950 EI and 3550 SSH is available on 12.1(11)EA1 • SSH is using 3DES to provide confidentiality to the Telnet session PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 9 Passwords • Enable password should be different than login password • Physical access to console port means no password needed upon reboot • Passwords are stored in clear text on TFTP servers • Passwords should be more creative than : Router, switch, sanfran, cisco, enable..... PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 10 Using Radius/TACACS+ Can use one time token for login/enable authentication CATALYST> set authentication login tacacs+ enable set authentication enable tacacs+ enable set tacacs key mysecret set tacacs server 1.1.1.1 set tacacs server 2.2.2.2 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 11 Management Channels: SNMP • SNMP is used to: send traps get information from switch set information to switch • three community strings (RO, RW, RW-all). Defaults public, private • use SNMPv1 => everything in clear including community string • Catalyst switches support SNMP V3 (DES Encryption) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 12 Restricting Telnet/SNMP Access • Telnet and SNMP access can be restricted to 10 IP addresses CATALYST> set ip permit 192.168.1.0 255.255.255.0 set ip permit 192.168.100.1 set ip permit enable PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 13 VLAN Trunking Protocol (VTP) • Used to distribute VLAN configuration among switches • VTP is used over trunk ports • VTP can cause more problems than it solves, consider if it is needed • If needed, VTP can (and should) be authenticated: CatOS> (enable) set vtp [domain domain_name] [mode {client | server | transparent | off}] [passwd passwd][pruning {enable | disable}] [v2 {enable | disable}] IOS(config)#vtp password password-value PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 14 Potential VTP Attacks • Most VTP attacks fall into the “nuisance” category of attacks • DoS is possible by changing around the VLANs on multiple switches • Disabling VTP: CatOS> (enable) set vtp mode transparent | off IOS(config)#vtp mode transparent PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 15 Management Channels: VMPS • VLAN Membership Policy Server is used to assign a VLAN to a port based on: MAC address NT or Novell usernames (with URT) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 16 VMPS Architecture VMPS TFTP server VMPS database VMPS Query client Reply AllAll VMPSVMPS traffic:traffic: ••clearclear texttext ••nonnon authenticationauthentication ••UDPUDP basedbased (spoofing(spoofing trivial)trivial) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 17 Risks with VQP • DoS: preventing people to join the right VLAN • impersonation: joining a desirable but forbidden VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 18 Adding Security to VMPS Use an out of band management channel Note: MAC addresses can be forged... PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 19 Management Channels: CDP • Can be used to learn sensible information about the CDP sender (IP address, software version, …) • be sure to disable CDP on ALL non trunk ports CATALYST> set cdp disable all set cdp enable 1/1 PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 20 Agenda • security myths • management channels • VLAN isolation • known attacks • secure switch configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 21 VLAN Isolation MYTH: VLAN a is completely isolated from VLAN b I.e. without layer 3 device, no station on one VLAN can send data to another station on another VLAN PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 22 Trunk Port Refresher Trunk Port • Trunk ports have access to all VLANs by default • Used to route traffic for multiple VLANs across the same physical link (generally used between switches) • Encapsulation can be 802.1Q or ISL PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 23 Dynamic Trunk Protocol (DTP) • What is DTP? Automates ISL/802.1Q trunk configuration Operates between switches Does not operate on routers Not supported on 2900XL or 3500XL • DTP synchronizes the trunking Dynamic mode on link ends Trunk Protocol • DTP prevents the need for management intervention on both sides • DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non- Negotiate” PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 24 DTP Administrative States • Administrator configurable trunk states ON I want to be a trunk and I don’t care what you think! (Used when the other end does not understand DTP) OFF I don’t want to be a trunk and I don’t care what you think! (Used when the other end cannot do ISL or .1Q) Desirable I’m willing to become a VLAN trunk; are you interested? (Used when you are interested in being a trunk) Auto I’m willing to go with whatever you want! (This is the default on many switches!) Non-Negotiate I want to trunk, and this is what kind of trunk I will be! (Used when you want a specific type of trunk ISL or .1Q) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 25 Basic VLAN Hopping Attack Trunk Port Trunk Port • A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well) • The station is then member of all VLANs • Requires a trunking favorable setting on the port (the SANS paper is three years old) http://www.sans.org/newlook/resources/IDFAQ/vlan.htm PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 26 Double Encapsulated 802.1Q VLAN Hopping Attack Strip off First, and Send 802.1q, 802.1q Back out Attacker 802.1q, Frame Frame Note: Only Works if Trunk Has the Same Native VLAN as the Attacker ( then the trunk will not append a new tag) Victim • Send double encapsulated 802.1Q frames • Switch performs only one level of decapsulation • Unidirectional traffic only • Works even if trunk ports are set to off PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 27 Disabling Auto-Trunking CatOS> (enable) set trunk <mod/port> off IOS(config-if)#switchport mode access • Defaults change depending on switch; always check: From the Cisco docs: “The default mode is dependent on the platform…” To check from the CLI: CatOS> (enable) show trunk [mod|mod/port] IOS(config-if)#show interface type number switchport PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 28 Security Best Practices for VLANs and Trunking • Always use a dedicated VLAN ID ( native VLAN) for all trunk ports that is not defined as an access port on the switch • Disable unused ports and put them in an unused VLAN • Be paranoid: Do not use VLAN 1 for anything • Set all user ports to non-trunking (DTP Off) PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 29 Agenda • security myths • management channels • VLAN isolation • known attacks • secure switch configuration PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 30 Spanning Tree Attacks PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 31 Spanning Tree • Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure • Provides path recovery services • Hackers are just starting to play around with STP; the “dsniff” of STP attacks has yet to be released PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 32 Spanning Tree Basics A F F F F A Switch Is Root Elected as Root A ‘Tree-Like’ Loop-Free Topology Is Established F F B X F B Loop-Free Connectivity PS-543 3029_05_2001_c1 © 2001, Cisco Systems, Inc.