Switch Data Plane Controls
SWITCH SECURITY BASELINE
VLAN HOPPING ATTACK
– Static Access n Port COnfiguration
– disable DTP
– No Native VLAN on trunk Port
STP Spoofing
– BPDU and Root Guard
MAC Spoofing
– Port Security and Static Mac Entry
CAM FLoods
– Mac limits in Port Security
DHCP Server Starvation
– DHCP Snooping
ARP Spoofing
– MAC limits in Port Security
– DHCP Snooping Rate Limits
– IP ARP Inspection
IP Spoofing
– IP Source Guard or Port Base ACLs
DHCP ATTACK
– When an attacker pretends to be the DHCP Server.
DHCP Spoofing
– When an attacker is sending multiple DHCP Discover MSG
Configuration :
Enable Globally ip dhcp snooping
Configure Ingress trusted port ( uplinks, trunks )
Configure the DHCP Database flash:dhcp-db.db ( whatever where you want it ) to prevent new dhcp rogue allocation after reboot.
Configure the write delay of the database to 30 sec.
Disable ip information option
configure the rate limit on each port for dhcp binding.
ARP ATTACK
– MAN in the Middle Attacks. ( gratuitous arp request )
This can be solved with the ARP inspections configuration.
Configuration :
Enable Globally ip dhcp snooping
Configure Ingress trusted port ( uplinks, trunks )
Use or Configure the DHCP Database flash:dhcp-db.db ( whatever where you want it ) to prevent new dhcp rogue allocation after reboot. OR
Configure ARP ACL and Static IP-MAC mapping. ( create acl and then apply the filter globally )
configure the rate limit 15 pps / 1sec
Config Error-disable behavior
Enable on Specific Interfaces
SOURCE IP ATTACKS
– Spoofing Existing IP ADDRESS
– Spoofing Existing IP SOURCE ROUTING
– Spoofing Non-Existing IP ADDRESS
Configure DHCP Snooping
Enable IP SOURCE GUARD on DHCP enable port ( int level ) ( ip verify source )
Configure Static Mappings or PACLS if not using IP SOURCE GUARD.
IBNS Overview and 802.1x
Deployement :
Configuration on SWITCH
– Radius
– ENable 802.1X globally
-Tune 802.1X re-auth, Time Value, Guest Access
Configuration on ACS
Configuration on CLIENTS
Routed Data Plane Controls
– Use PACLS on sw
– Use IP Source Guard on sw
– Use no ip source-route on routers
– Use Static IP ACLs on routers at ingress and egress
uRFP – prevent attack from spoofed addresses
Why uRPF rater then upper options :
– ACLs are manual
– uRFP is automated – relies on routing table and there is 2 types :
Strict and Loose.
-Strict : Source must be in routing table pointing a specific interface where traffic is entering the router.
-Loose : Source IP must be in the routing table.
Config :
Enable CEF
Configure uRPF on interfaces : ip verify unicast source reachable-via any or rx or reverse-path ( old command )
Configure notification over SNMP
FPM ( flexible packet matching ) – identity and prevent specifics inside data stream
Load .phdf templates
Configure CLASS MAPs ( type access control ) and Service Policy on Interface
Netflow – Use to identify traffic flooding attacks
– Provide a record of the packets
– Sends the data to a collector
– Can be used to identify anomalies
Flows include : source destination ip and ports L3 protocol type, COS or TOS Bytes info ifindex of the input interfaces.
Multiple version
Treaditional versus Flexible. ?
Control Plane Controls
Routing Protocol Authentification
Route Filtering
Accept know good routing information from neighbors.
Reject unwanted
Management Plane Controls
Interface ACLs
ACLs on VTY
CPP
MPP with Mngm interface. <== BP
RBAC
User Parser view commands ( user rights )
Digital Signaed IOS ( show soft auth run )
Processor / Memories TRAPS
Network Address Translation
Zone-Based Firewalls
IOS IPS
IOS VPN
VTI-Based VPN with PKI
DMVPN
GET VPN
VPN-HA
RA VPN On Cisco IOS