Day 20. LAN Security and Device Hardening
CCNA 200-301 Exam Topics
Configure device access control using local passwords
Configure network devices for remote access using SSH
Differentiate authentication, authorization, and accounting concepts
Configure Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)
Key Topics
Today’s review is a whirlwind of topics related to LAN security and device hardening. We will review endpoint security, access control, port security, and LAN threat mitigation techniques.
Endpoint Security
Endpoints are hosts including laptops, desktops, servers, and IP phones. In addition, a network that has a bring your own device (BYOD) policy includes employee-owned devices. Endpoints are particularly susceptible to malware-related attacks that originate through email or web browsing. If an endpoint is infiltrated, it can become a point from which a threat actor can gain access to critical system devices, such as servers and sensitive information.
Endpoints are best protected by host-based Cisco Advanced Malware Protection (AMP) software. AMP products include endpoint solutions such as Cisco AMP for Endpoints. In addition, content security appliances provide fine-grained control over email and web browsing for an organization’s users.
Cisco has two content security appliance products:
Cisco Email Security Appliance (ESA)
Cisco Web Security Appliance (WSA)
Cisco ESA
Cisco ESA is special device designed to monitor email’s primary protocol, Simple Mail Transfer Protocol (SMTP). Cisco ESA can do the following:
Block known threats
Remediate against stealth malware that evades initial detection
Discard emails with bad links
Block access to newly infected sites
Encrypt content in outgoing email to prevent data loss
Figure 20-1 shows the Cisco ESA process of discarding a targeted phishing attack.
Figure 20-1 Cisco ESA Discards Bad Emails
The process shown in Figure 20-1 is as follows:
Step 1. Threat actor sends a phishing attack to an important host on the network.
Step 2. The firewall forwards all email to the ESA.
Step 3. The ESA analyzes the email, logs it, and discards it.
Cisco WSA
Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting. Cisco WSA provides complete control over how users access the Internet. Certain features and applications, such as chat, messaging, video, and audio can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization’s requirements. WSA can perform blacklisting of URLs, URL filtering, malware scanning, URL categorization, Web application filtering, and encryption and decryption of web traffic.
Figure 20-2 shows a corporate user attempting to connect to a known blacklisted site.
Figure 20-2 Cisco WSA Discard Packet Destined for a Blacklisted Site
The process shown in Figure 20-2 is as follows:
Step 1. A user attempts to connect to a website.
Step 2. The firewall forwards the website request to the WSA.
Step 3. The WSA evaluates the URL and determines it is a known blacklisted site. The WSA discards the packet and sends an access denied message to the user.
Access Control
Many types of authentication can be performed on networking devices to control access, and each method offers varying levels of security.
Local Authentication
The simplest method of remote access authentication is to configure a login and password combination on console, vty lines, and aux ports, as shown in Example 20-1. This method, however, provides no accountability, and the password is sent in plaintext. Anyone with the password can gain entry to the device.
Example 20-1 Local Password Only Authentication
R1(config)# line vty 0 4 R1(config-line)# password ci5c0 R1(config-line)# login
Instead of using a shared password with no usernames, you can use the username username secret password command to configure local username/password pairs. Require a username/password pair with the login local line configuration command. Use the no password line configuration command to remove any configured passwords. In Example 20-2, a username/password pair is configured and applied to the lines, and then Telnet access is tested from a switch. Notice that the password has been hashed using MD5 encryption, indicated by the 5 following secret in the output from the show run command.
Example 20-2 Local Username/Password Authentication
R1(config)# username allanj secret 31daysCCNA R1(config)# line console 0 R1(config-line)# login local R1(config-line)# no password R1(config-line)# line vty 0 15 R1(config-line)# login local R1(config-line)# no password
S1# telnet 10.10.10.1 Trying 10.10.10.1 ...Open User Access Verification Username: allanj Password: R1> enable Password: R1# show run | include username username allanj secret 5 $1$mERr$e/edsAr7D0CyM/z3tMvyL/ R1#
SSH Configuration
Secure Shell (SSH) is considered a security best practice because Telnet (port 23) uses insecure plaintext transmission of both the login and the data across the connection. SSH (port 22) is a more secure form of remote access:
It requires a username and a password, both of which are encrypted during transmissions.
The username and password can be authenticated using the local database method.
It provides more accountability because the username is recorded when a user logs in.
Example 20-3 illustrates SSH and local database methods of remote access.
Example 20-3 Configuring SSH Remote Access on a Switch
S1# show ip ssh SSH Disabled-version 1.99 %Please create RSA keys to enable SSH (of at least 768 bits size) to enable SSH v2. Authentication timeout: 120 secs; Authentication retries:3 S1# conf t S1(config)# ip domain-name cisco.com S1(config)# crypto key generate rsa The name for the keys will be: S1.cisco.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]:1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 4 seconds) *Mar 1 02:20:18.529: %SSH-5-ENABLED: SSH 1.99 has been enabled S1(config)# line vty 0 15 S1(config-line)# login local S1(config-line)# transport input ssh S1(config-line)# username allanj secret 31daysCCNA !The following commands are optional SSH configurations. S1(config)# ip ssh version2 S1(config)# ip ssh authentication-retries 5 S1(config)# ip ssh time-out 60 S1(config)# end S1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 5 S1#
The following steps occur in Example 20-3:
Step 1. Verify that the switch supports SSH using the show ip ssh command. If the command is not recognized, you know that SSH is not supported.
Step 2. Configure a DNS domain name with the ip domain-name global configuration command.
Step 3. Configure the switch using the crypto key generate rsa command to generate an RSA key pair and automatically enable SSH. When generating RSA keys, you are prompted to enter a modulus length. Cisco recommends a minimum modulus size of 1024 bits, as in Example 20-3.
Step 4. Change the vty lines to use usernames, with either locally configured usernames or an authentication, authorization, and accounting (AAA) server. In Example 20-3, the login local vty subcommand defines the use of local usernames, replacing the login vty subcommand.
Step 5. Configure the switch to accept only SSH connections with the transport input ssh vty subcommand. (The default is transport input telnet.)
Step 6. Add one or more username password global configuration commands to configure username/password pairs.
Step 7. If desired, modify the default SSH configuration to change the SSH version to 2.0, the number of authentication tries, and the timeout, as in Example 20-3.
Step 8. Verify your SSH parameters by using the show ip ssh command.
Switch Port Hardening
Router interfaces must be activated with the no shutdown command before they become operational. The opposite is true for Cisco Catalyst switches: an interface is activated when a device is connected to the port. To provide out-of-the-box functionality, Cisco chose a default configuration that includes interfaces that work without any configuration, including automatically negotiating speed and duplex. In addition, all interfaces are assigned to the default VLAN 1.
This default configuration exposes switches to some security threats. The following are security best practices for unused interfaces:
Administratively disable the interface by using the shutdown interface subcommand.
Prevent VLAN trunking by making the port a nontrunking interface using the switchport mode access interface subcommand.
Assign the port to an unused VLAN by using the switchport access vlan number interface subcommand.
Set the native VLAN to not be VLAN 1 but to instead be an unused VLAN, using the switchport trunk native vlan vlan-id interface subcommand.
Even when you shut down unused ports on the switches, if a device is connected to one of those ports and the interface is enabled, trunking can occur. In addition, all ports are in VLAN 1 by default. A good practice is to put all unused ports in a black hole VLAN. Example 20-4 demonstrates this best practice, assuming that ports 20–24 are unused.
Example 20-4 Assigning Unused Ports to a Black Hole VLAN
S1(config)# vlan 999 S1(config-vlan)# name BlackHole S1(config-vlan)# interface range fa0/20 - 24 S1(config-if-range)# shutdown S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 999 S1(config-if-range)#
AAA
Configuring usernames and passwords on all your network devices is not very scalable. A better option is to use an external server to centralize and secure all username/password pairs. To address this issue, Cisco devices support the authentication, authorization, and accounting (AAA) framework to help secure device access.
Cisco devices support two AAA authentication protocols:
Terminal Access Controller Access Control System Plus (TACACS+, pronounced as “tack-axe plus”)
Remote Authentication Dial-In User Service (RADIUS)
The choice of TACACS+ or RADIUS depends on the needs of the organization. For example, a large ISP might select RADIUS because it supports the detailed accounting required for billing users. An organization with various user groups might select TACACS+ because it requires authorization policies to be applied on a per-user or per-group basis. Table 20-1 compares TACACS+ and RADIUS.
Table 20-1 Comparison of TACACS+ and RADIUS
Feature |
TACACS+ |
RADIUS |
Most often used for |
Network devices |
Users |
Transport protocol |
TCP |
UDP |
Authentication port number(s) |
49 |
1645, 1812 |
Protocol encrypts the password |
Yes |
Yes |
Protocol encrypts entire packet |
Yes |
No |
Supports function to authorize each user to a subset of CLI commands |
Yes |
No |
Defined by |
Cisco |
RFC 2865 |
Both TACACS+ and RADIUS use a client/server model, where an authenticating device is the client talking to an AAA server. Figure 20-3 shows a simplified view of the process, where a user is attempting to connect to a switch for management purposes.
Figure 20-3 A Simplified View of AAA
802.1X
IEEE 802.1X is a standard port-based access control and authentication protocol. It is ideal for restricting unauthorized access through publicly available LAN devices, such as switches and wireless access points.
802.1X defines three roles for devices in the network, as Figure 20-4 shows:
Figure 20-4 802.1X Roles
Client (supplicant): This is usually the 802.1X-enabled port on the device that requests access to LAN and switch services and responds to requests from the switch. In Figure 20-4, the device is a PC running 802.1X-compliant client software.
Switch (authenticator): The switch controls physical access to the network, based on the authentication status of the client. The switch acts as a proxy between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client.
Authentication server: The authentication server performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch about whether the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. RADIUS is the only supported authentication server.
Figure 20-5 shows the authentication flows for a typical 802.1X process.
Figure 20-5 802.1X Authentication Flows
The 802.1X process is summarized as follows:
The RADIUS authentication server is configured with usernames and passwords.
Each LAN switch is enabled as an 802.1X authenticators, is configured with the IP address of the authentication server, and has 802.1X enabled on all required ports.
Users that connect devices to 802.1X-enabled ports must know the username/password before they can access the network.
Port Security
If you know which devices should be cabled and connected to particular interfaces on a switch, you can use port security to restrict that interface so that only the expected devices can use it. This reduces exposure to some types of attacks in which the attacker connects a laptop to the wall socket or uses the cable attached to another end device to gain access to the network.
Port Security Configuration
Port security configuration involves several steps. Basically, you need to make the port an access port, which means the port is not doing any VLAN trunking. You then need to enable port security and configure the Media Access Control (MAC) addresses of the devices allowed to use that port. The following list outlines the steps in port security configuration, including the configuration commands used:
Step 1. Configure the interface for static access mode by using the switchport mode access interface subcommand.
Step 2. Enable port security by using the switchport port-security interface subcommand.
Step 3. (Optional) Override the maximum number of allowed MAC addresses associated with the interface (1) by using the switchport port-security maximum number interface subcommand.
Step 4. (Optional) Override the default action when there is a security violation (shutdown) by using the switchport port-security violation {protect | restrict | shutdown} interface subcommand.
Step 5. (Optional) Predefine any allowed source MAC address(es) for this interface by using the switchport port-security mac-address mac-address command. Use the command multiple times to define more than one MAC address.
Step 6. (Optional) Instead of taking step 5, configure the interface to dynamically learn and configure the MAC addresses of currently connected hosts by configuring the switchport port-security mac-address sticky interface subcommand.
When an unauthorized device attempts to send frames to the switch interface, the switch can issue informational messages, discard frames from that device, or even discard frames from all devices by effectively shutting down the interface. Exactly which action the switch port takes depends on the option you configure in the switchport port-security violation command. Table 20-2 lists actions that the switch will take based on whether you configure the option protect, restrict, or shutdown (default).
Table 20-2 Actions When Port Security Violation Occurs
Option on the switchport port-security violation Command |
protect |
restrict |
shutdown |
Discards offending traffic |
Yes |
Yes |
Yes |
Sends log and SNMP messages |
No |
Yes |
Yes |
Disables the interface, discarding all traffic |
No |
No |
Yes |
Example 20-5 shows a port security configuration in which each access interface is allowed a maximum of three MAC addresses. If a fourth MAC address is detected, only the offending device’s traffic is discarded. If the violation option is not explicitly configured, the traffic for devices that are allowed on the port also is discarded because the port would be shut down by default.
Example 20-5 Port Security Configuration Example
S1(config)# interface range fa 0/5 - fa 0/24 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport port-security S1(config-if-range)# switchport port-security maximum 3 S1(config-if-range)# switchport port-security violation restrict S1(config-if-range)# switchport port-security mac-address sticky
To verify port security configuration, use the more general show port-security command or the more specific show port-security interface type number command. Example 20-6 demonstrates the use of both commands. In the examples, notice that only one device is currently attached to an access port on S1.
Example 20-6 Port Security Verification Command Output Examples
S1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/5 3 1 0 Restrict
Fa0/6 3 0 0 Restrict
Fa0/7 3 0 0 Restrict
Fa0/8 3 0 0 Restrict
Fa0/9 3 0 0 Restrict
Fa0/10 3 0 0 Restrict
Fa0/11 3 0 0 Restrict
Fa0/12 3 0 0 Restrict
Fa0/13 3 0 0 Restrict
Fa0/14 3 0 0 Restrict
Fa0/15 3 0 0 Restrict
Fa0/16 3 0 0 Restrict
Fa0/17 3 0 0 Restrict
Fa0/18 3 0 0 Restrict
Fa0/19 3 0 0 Restrict
Fa0/20 3 0 0 Restrict
Fa0/21 3 0 0 Restrict
Fa0/22 3 0 0 Restrict
Fa0/23 3 0 0 Restrict
Fa0/24 3 0 0 Restrict
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8320
S1# show port-security interface fastethernet 0/5
Port Security :Enabled
Port Status :Secure-down
Violation Mode :Restrict
Aging Time :0 mins
Aging Type :Absolute
SecureStatic Address Aging :Disabled
Maximum MAC Addresses :3
Total MAC Addresses :1
Configured MAC Addresses :0
Sticky MAC Addresses :1
Last Source Address:Vlan :0014.22dd.37a3:1
Security Violation Count :0
Port Security Aging
Port security aging can be used to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:
Absolute: The secure addresses on the port are deleted after the specified aging time.
Inactivity: The secure addresses on the port are deleted only if they are inactive for the specified aging time.
Use the switchport port-security aging command to enable or disable static aging for the secure port or to set the aging time or type:
Switch(config-if)# switchport port-security aging { static | time time |
type {absolute | inactivity}}
Table 20-3 describes the parameters for this command.
Table 20-3 Parameters for the port-security aging Command
Parameter |
Description |
|
Enable aging for statically configured secure addresses on this port. |
|
Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. |
|
Set the absolute aging time. All the secure addresses on this port age out exactly after the time (in minutes) specified and are removed from the secure address list. |
|
Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period. |
Example 20-7 shows an administrator configuring the aging type to 10 minutes of inactivity and using the show port-security interface command to verify the configuration.
Example 20-7 Configuring and Verifying Port Security Aging
S1(config)# interface fa0/1 S1(config-if)# switchport port-security aging time 10 S1(config-if)# switchport port-security aging type inactivity S1(config-if)# end S1# show port-security interface fa0/1 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Restrict Aging Time : 10 mins Aging Type : Inactivity SecureStatic Address Aging : Disabled Maximum MAC Addresses : 4 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0050.56be.e4dd:1 Security Violation Count : 1
Port Restoration After a Violation
When port security is activated on an interface, the default action when a violation occurs is to shut down the port. A security violation can occur in one of two ways:
The maximum number of secure MAC addresses has been added to the address table for that interface, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
When a violation occurs, a syslog message is sent to the console, stating that the interface is now in the err-disable state. The console messages include the port number and the MAC address that caused the violation, as Example 20-8 shows.
Example 20-8 Port Security Violation Verification and Restoration
S1# Sep 20 06:44:54.966: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/18, putting Fa0/18 in err-disable state Sep 20 06:44:54.966: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000c.292b.4c75 on port FastEthernet0/18. Sep 20 06:44:55.973: %LINEPROTO-5-PPDOWN: Line protocol on Interface FastEthernet0/18, changed state to down Sep 20 06:44:56.971: %LINK-3-UPDOWN: Interface FastEthernet0/18, changed state to down !The two following commands can be used to verify the port status. S1# show interface fa0/18 status Port Name Status Vlan Duplex Speed Type Fa0/18 err-disabled 5 auto auto 10/100BaseTX S1# show port-security interface fastethernet 0/18 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000c.292b.4c75:1 Security Violation Count : 1 !To restore a port, manually shut it down and then reactivate it. S1(config)# interface FastEthernet 0/18 S1(config-if)# shutdown Sep 20 06:57:28.532: %LINK-5-CHANGED: Interface FastEthernet0/18, changed state to administratively down S1(config-if)# no shutdown Sep 20 06:57:48.186: %LINK-3-UPDOWN: Interface FastEthernet0/18, changed state to up Sep 20 06:57:49.193: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/18, changed state to up
You can use the show interface type number status or show port-security interface type number command to verify the current state of the port. To restore the port, you must first manually shut down the interface and then reactivate it, as in Example 20-8.
LAN Threat Mitigation
This section reviews LAN threats and mitigation techniques for VLAN attacks, DHCP attacks, and ARP attacks.
Native and Management VLAN Modification
The IEEE 802.1Q specification defines a native VLAN to maintain backward compatibility with untagged traffic that is common in legacy LAN scenarios. A native VLAN serves as a common identifier on opposite ends of a trunk link. VLAN 1 is the native VLAN by default.
A management VLAN is any VLAN configured to access the management capabilities of a switch. VLAN 1 is the management VLAN by default. The management VLAN is assigned an IP address and subnet mask, allowing the switch to be managed through HTTP, Telnet, SSH, or SNMP.
It is a best practice to configure the native VLAN as an unused VLAN distinct from VLAN 1 and other VLANs. In fact, it is not unusual to dedicate a fixed VLAN to serve the role of the native VLAN for all trunk ports in the switched domain. Likewise, the management VLAN should be configured as something other than VLAN 1. The management and native VLANs can be configured as the same VLAN, as in Example 20-9.
Example 20-9 Configuring the Native and Management VLAN
S1(config)# vlan 86 S1(config-vlan)# name Management&Native S1(config-vlan)# interface vlan 86 *Jul 13 14:14:04.840: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan86, changed state to down S1(config-if)# ip address 10.10.86.10 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# ip default-gateway 10.10.86.254 S1(config)# interface range fa0/21 - 24 S1(config-if-range)# switchport mode trunk S1(config-if-range)# switchport trunk native vlan 86 S1(config-if-range)# *Jul 13 14:15:55.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan86, changed state to up S1(config-if-range)#
First, a VLAN is created that will be used for the management and native VLAN. Next, by activating interface VLAN 86, the switch can be remotely managed. Finally, the trunk ports are statically configured, and VLAN 86 is set as the native VLAN for all untagged traffic. After it is configured, the interface VLAN 86 comes up.
VLAN Attacks
VLAN attacks can be launched in one of three ways:
Spoofing Dynamic Trunking Protocol (DTP) messages: Spoofing DTP messages from the attacking host can cause the switch to enter trunking mode. From here, the attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the destination.
Introducing a rogue switch and enabling trunking: After doing this, an attacker can access all the VLANs on the victim switch from the rogue switch.
Mounting a double-tagging (or double-encapsulated) attack: This type of VLAN hopping attack takes advantage of the way hardware on most switches operates. A threat actor in specific situations could embed a hidden 802.1Q tag inside the frame that already has an 802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
VLAN Attack Mitigation
Use the following steps to mitigate VLAN hopping attacks:
Step 1. Disable DTP (auto trunking) negotiations on non-trunking ports by using the switchport mode access interface configuration command.
Step 2. Disable unused ports and put them in an unused VLAN.
Step 3. Manually enable the trunk link on a trunking port by using the switchport mode trunk command.
Step 4. Disable DTP (auto trunking) negotiations on trunking ports by using the switchport nonegotiate command.
Step 5. Set the native VLAN to a VLAN other than VLAN 1 by using the switchport trunk native vlan vlan_number command.
For example, assume the following:
FastEthernet ports 0/1 through fa0/16 are active access ports.
FastEthernet ports 0/17 through 0/24 are not currently in use.
FastEthernet ports 0/21 through 0/24 are trunk ports.
VLAN hopping can be mitigated by implementing the following configuration, as shown in Example 20-10:
Trunking is disabled on FastEthernet ports 0/1 to 0/16.
FastEthernet ports 0/17 to 0/20 are assigned an unused VLAN.
FastEthernet ports 0/21 to 0/24 are manually enabled as trunks with DTP disabled. The native VLAN is also changed from the default VLAN 1 to VLAN 86.
Example 20-10 VLAN Hopping Attack Mitigation
S1(config)# interface range fa0/1 - 16 S1(config-if-range)# switchport mode access S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/17 - 20 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 999 S1(config-if-range)# exit S1(config)# S1(config)# interface range fa0/21 - 24 S1(config-if-range)# switchport mode trunk S1(config-if-range)# switchport nonegotiate S1(config-if-range)# switchport trunk native vlan 86 S1(config-if-range)# end S1#
DHCP Attacks
Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by implementing DHCP snooping.
DHCP Starvation Attacks
The goal of a DHCP starvation attack is to create a denial-of-service condition for connecting clients. DHCP starvation attacks require an attack tool such as Gobbler. Gobbler looks at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
DHCP Spoofing Attacks
A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients. For example, in Figure 20-6, R1 is configured to relay DHCP requests to the DHCP server attached to R2.
Figure 20-6 Rogue DHCP Server Intercepting DHCP Requests
However, the rogue DHCP server attached to SW1 responds to the DHCP request from PC1 first. PC1 accepts the DHCP offer and sets the rogue DHCP server as the default gateway.
DHCP Snooping
To protect against DHCP attacks, DHCP snooping uses the concept of trusted and untrusted ports. As Figure 20-7 shows, SW2, R1, and the DHCP server are attached to trusted ports on SW1. The other devices, including the wireless access point, are connected to untrusted ports.
Figure 20-7 Trusted and Untrusted Ports
Some critical features of a DHCP snooping configuration include the following:
Trusted ports: Trusted ports allow all incoming DHCP messages.
Untrusted ports, server messages: Untrusted ports discard all incoming messages that are considered server messages.
Untrusted ports, client messages: Untrusted ports apply more complex logic for messages considered client messages. They check whether each incoming DHCP message conflicts with existing DHCP binding table information; if so, they discard the DHCP message. If the message has no conflicts, the switch allows the message through, which typically results in the addition of new DHCP binding table entries.
Rate limiting: This feature optionally limits the number of received DHCP messages per second per port.
Use the following steps to enable DHCP snooping:
Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
Step 3. Limit the number of DHCP discovery messages that can be received per second on untrusted ports by using the ip dhcp snooping limit rate number interface configuration command. This helps mitigate DHCP starvation attacks.
Step 4. Enable DHCP snooping by VLAN or by a range of VLANs by using the ip dhcp snooping vlan global configuration command.
For a simple scenario, consider the topology in Figure 20-8.
Figure 20-8 DHCP Snooping Configuration Topology
Example 20-11 shows how to configure and verify DHCP snooping on S1.
Example 20-11 Configuring and Verifying DHCP Snooping
S1(config)# ip dhcp snooping S1(config)# interface f0/1 S1(config-if)# ip dhcp snooping trust S1(config-if)# exit S1(config)# interface range f0/5 - 24 S1(config-if-range)# ip dhcp snooping limit rate 6 S1(config-if)# exit S1(config)# ip dhcp snooping vlan 5,10,50-52 S1(config)# end S1# show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 5,10,50-52 DHCP snooping is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port remote-id: 0cd9.96d2.3f80 (MAC) Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option Rate limit (pps) ----------------------- ------- ------------ ---------------- FastEthernet0/1 yes yes unlimited Custom circuit-ids: FastEthernet0/5 no no 6 Custom circuit-ids: FastEthernet0/6 no no 6 Custom circuit-ids: S1# show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ---------------- 00:03:47:B5:9F:AD 192.168.10.10 193185 dhcp-snooping 5 FastEthernet0/5 S1#
ARP Attacks
On Ethernet LANs, hosts are allowed to send an unsolicited Address Resolution Protocol (ARP) reply called a gratuitous ARP message. These ARP messages cause all other hosts on the LAN to store the MAC address and IP address in their ARP caches. The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly. Therefore, any host can claim to be the owner of any IP and MAC address combination.
For example, in Figure 20-9, R1 and PC1 have removed the correct entry for each other’s MAC address and replaced it with PC2’s MAC address. The threat actor has poisoned the ARP caches of all devices on the subnet. ARP poisoning leads to various man-in-the-middle attacks, posing a serious security threat to the network. All traffic between R1 and PC1 will now flow through the threat actor’s PC2.
Figure 20-9 Successful ARP Poisoning Attack
Dynamic ARP Inspection
To prevent ARP spoofing and then ARP poisoning, a switch must ensure that only valid ARP requests and replies are relayed. Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by doing the following:
Not relaying invalid or gratuitous ARP replies out to other ports in the same VLAN
Intercepting all ARP requests and replies on untrusted ports
Verifying each intercepted packet for a valid IP-to-MAC binding
Dropping and logging ARP replies coming from invalid source to prevent ARP poisoning
Error disabling the interface if the configured DAI number of ARP packets is exceeded
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:
Enable DHCP snooping globally.
Enable DHCP snooping on selected VLANs.
Enable DAI on selected VLANs.
Configure trusted interfaces for DHCP snooping and ARP inspection.
The topology in Figure 20-10 identifies trusted and untrusted ports
Figure 20-10 Trusted and Untrusted Ports for DAI Configuration
In Figure 20-10, S1 is connecting two users on VLAN 10. In Example 20-12, DAI is configured to mitigate against ARP spoofing and ARP poisoning attacks. Notice that DHCP snooping is enabled because DAI requires the DHCP snooping binding table to operate.
Example 20-12 DAI Configuration
S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10 S1(config)# ip arp inspection vlan 10 S1(config)# interface fa0/24 S1(config-if)# ip dhcp snooping trust S1(config-if)# ip arp inspection trust
DAI can also be configured to check for both destination or source MAC and IP addresses with the ip arp inspection validate command. Only one command can be configured. Entering multiple ip arp inspection validate commands overwrites the previous command. To include more than one validation method, enter them on the same command line, as shown and verified in Example 20-13.
Example 20-13 Configuring DAI to Validate MAC and IP Addresses
S1(config)# ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address S1(config)# ip arp inspection validate src-mac S1(config)# ip arp inspection validate dst-mac S1(config)# ip arp inspection validate ip S1(config)# do show run | include validate ip arp inspection validate ip S1(config)# ip arp inspection validate src-mac dst-mac ip S1(config)# do show run | include validate ip arp inspection validate src-mac dst-mac ip S1(config)#
Study Resources
For today’s exam topics, refer to the following resources for more study.
Resource |
Module or Chapter |
Cisco Network Academy: CCNA2 |
10 |
|
11 |
CCNA 200-301 Official Cert Guide, Volume 1 |
6 |
CCNA 200-301 Official Cert Guide, Volume 2 |
4 |
|
8 |
Portable Command Guide |
20 |
|
22 |