Wednesday 15 May 2013

Cisco IOS Switch Security - Part II

  • Traffic Storm Control
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. The traffic storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces.  

Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1-second traffic storm control interval, and during the interval it compares the traffic level with the traffic storm control level that you configure. The traffic storm control level is a percentage of the total available bandwidth of the port. Each port has a single traffic storm control level that is used for all types of traffic (broadcast, multicast, and unicast).

Traffic storm control monitors the level of each traffic type for which you enable traffic storm control in 1-second traffic storm control intervals. 

 When the ingress traffic for which traffic storm control is enabled reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the traffic storm control interval ends.

Optional actions:
  • Shutdown—When a traffic storm occurs, traffic storm control puts the port into the error-disabled state. To reenable ports, use the error-disable detection and recovery feature or the shutdown and no shutdown commands.
  • Trap—When a traffic storm occurs, traffic storm control generates an SNMP trap.

 Example:
 SW(config-if)# storm-control broadcast level level[.level]
 SW(config-if)# storm-control multicast level level[.level] 
 SW(config-if)# storm-control unicast level level[.level]
Specify the level as a percentage of the total interface bandwidth:

The level can be from 0 to 100.

The optional fraction of a level can be from 0 to 99.

100 percent means no traffic storm control.

0.0 percent suppresses all traffic. 

Verification:
SW# show interfaces gig4/10 counters storm-control
Port      UcastSupp %     McastSupp %     BcastSupp %  TotalSuppDiscards
Gi4/10      00.70           00.70           00.70              0

  • DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.

Rate-limits DHCP traffic from trusted and untrusted sources.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts. 

  The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources. 
  
Trusted and Untrusted Sources
 In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers, and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports and unknown DHCP servers are generally treated as untrusted sources. 

 In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.

 The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted. 

DHCP Snooping Binding Database 
 The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces. 

 Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. 
  
Packet Validation
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
  • The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
  • The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
  • The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
  • The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0. 
 DHCP Snooping Database Agent

 To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well.

The database agent stores the bindings in a file at a configured location. Upon reload, the switch reads the file to build the database for the bindings. The switch keeps the file current by writing to the file as the database changes. 

DHCP Snooping Host Tracking 
  The DHCP snooping host tracking feature implements a cache to learn VLAN and MAC addresses to port the mapping of clients from snooped DHCP request packets and uses this information to forward snooped DHCP reply packets. 
 This feature improves DHCP snooping packet processing performance for DHCP reply packets by not needing to lookup the hardware VLAN and MAC address table in order to determine the port on which to send the DHCP reply packets. This feature is useful in deployments where it is not possible to use the DHCP snooping information option along with DHCP (for example, when the server does not support DHCP information option). If DHCP is configured it takes hugher precedence than the DHCP snooping host tracking feature in determining the port on which to forward reply packets.

DHCP Snooping Option-82 Data Insertion 
 The DHCP Information option (Option 82) is commonly used in metro or large enterprise deployments to provide additional information on “physical attachment” of the client. Option 82 is supposed to be used in distributed DHCP server/relay environment, where relays insert additional information to identify the client’s point of attachment.
  DHCP relay is supposed to insert the “giaddr” field in the relayed DHCP packets, so that DHCP server may identify the pool to be used for the request. The choice of the pool is made based on the “giaddr” field or the incoming interface, if the “giaddr” is missing or zero . Option 82 serves as refinement to the request, allowing the DHCP server to select a “sub-range” in the pool. (Notice that by default Cisco IOS devices reject packets with zero “giaddr” and by default Cisco Catalyst switches use “giaddr” of zero when configured for DHCP snooping!)

Spurious DHCP server
 A DHCP server that is on your network without your knowledge on an untrusted port is called a spurious DHCP server. A spurious DHCP server is any piece of equipment that is loaded with DHCP server enabled. Some examples are desktop systems and laptop systems that are loaded with DHCP server enabled, or wireless access points honoring DHCP requests on the wired side of your network. If spurious DHCP servers remain undetected, you will have difficulties troubleshooting a network outage.

Example: 
  • Configuring the DHCP Trust State on Layer 2 LAN Interfaces
SW(config)# interface FastEthernet 0/0
SW(config-if)# ip dhcp snooping trust

SW# show ip dhcp snooping | begin pps

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet0/0             yes         unlimited
  • Enabling DHCP Snooping Globally
SW(config)# ip dhcp snooping

SW# show ip dhcp snooping | include Switch
Switch DHCP snooping is enabled
  • Enabling DHCP Snooping on VLANs
SW(config)# ip dhcp snooping vlan 10-12,15

SW# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10-12,15
DHCP snooping is operational on following VLANs:
none
  • Enabling DHCP Option-82 Data Insertion
Router(config)# no ip dhcp snooping information op
  • Enabling DHCP Snooping Host Tracking
SW(config)# no ip dhcp snooping information option
SW(config)# ip dhcp snooping track host
  •   Enable Database Agent
The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state:

SW(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file

To manually read the entries from a TFTP file, perform this task:

SW# renew ip dhcp snoop data tftp://10.1.1.1/directory/file 
Loading directory/file from 10.1.1.1 (via GigabitEthernet1/1): !
[OK - 457 bytes]
Database downloaded successfully.
Router#
00:01:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Read
succeeded.
  • Configuring Spurious DHCP Server Detection
SW# configure terminal 
SW(config)# ip dhcp snooping detect spurious vlan 20-25
SW(config)# ip dhcp snooping detect spurious interval 50
SW# do show ip dhcp snooping detect spurious
Spurious DHCP server detection is enabled.
Detection VLAN list : 20-25
Detection interval : 50 minutes
  • Enabling DHCP Snooping MAC Address Verification

 With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports.

SW(config)# ip dhcp snooping verify mac-address
SW#show ip dhcp snooping | include hwaddr
Verification of hwaddr field is enabled
  • Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces
SW(config)# interface FastEthernet 0/0
SW(config-if)# ip dhcp snooping limit rate 100
SW(config-if)# do show ip dhcp snooping | begin pps
Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet0/0             no          100

  • IP Source Guard
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.
The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access and trunk ports.


Example:
Switch(config)#interface GigabitEthernet1/0/1
Switch(config-if)#ip verify source port-security
 Switch(config)# ip source binding 0011.0011.0011 vlan 5 10.1.1.11 interface GigabitEthernet1/0/2

  • Dynamic ARP Inspection
Address Resolution Protocol (ARP) provides IP-to-MAC (32-bit IP address into a 48-bit Ethernet address) resolution. ARP operates at Layer 2 (the data-link layer) of the OSI model. ARP provides the translation mapping the IP address to the MAC address of the destination host using a lookup table (also known as the ARP cache).
Several types of attacks can be launched against a host or devices connected to Layer 2 networks by "poisoning" the ARP caches. A malicious user could intercept traffic intended for other hosts on the LAN segment and poison the ARP caches of connected systems by broadcasting forged ARP responses. Several known ARP-based attacks can have a devastating impact on data privacy, confidentiality, and sensitive information. To block such attacks, the Layer 2 switch must have a mechanism to validate and ensure that only valid ARP requests and responses are forwarded.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP inspection determines the validity of packets by performing an IP-to-MAC address binding inspection stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the appropriate destination. Dynamic ARP inspection will drop all ARP packets with invalid IP-to-MAC address bindings that fail the inspection. The DHCP snooping binding database is built when the DHCP snooping feature is enabled on the VLANs and on the switch.

 Dynamic ARP inspection inspects inbound packets only; it does not check outbound packets.

Example:
  • DAI in a DHCP Environment
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10
  •  DAI in a Non-DHCP Environment
Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust
    Posted by at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)