Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

Switches

It is often overlooked that Switches also need to be secured. Here are some things that you might want to check for:

Auto Trunking

Catalyst switches often have auto trunking enabled by default. This makes them vulnerable to two different kinds of attacks.

The first one being the crafting of double-encoded 802.1q frames by an attacker, which makes it possible to send traffic via a second switch to any VLAN on that one. This only works if the attacker is on the same port as the trunk and it is only applicable to unidirectional traffic (the one the attacker sends).

The second being the problem that an attacker can inject any kind of 802.1q frames into the switches and get access to all VLANs.

To make sure trunking is switched off:

CatOS>show trunk [mod|mod/port]

IOS # show interface type number switchport

To definitely switch it off:

CatOS>set trunk <mod/port> off

IOS # switchport mode access

Also do the following about VLANs:

disable unused ports

set all ports to non-trunking

use dedicated VLAN IDs for all trunk ports

Gratious ARP

Another very important issue is the one of gratious ARP. This is the fact that any station on a network can just send ARP packets out and tell that it has a certain IP and associated MAC. This makes it for example possible for an attacker on a LAN to spoof the Gateway. On some operating systems it is even possible to overwrite static ARP entries like this.

To protect from this type of attack, use Private VLANs. On IOS you do the following:

port protected

On CatOS, you need to use the set vlan / set pvlan commands. Use show pvlan to show them.

You might also consider static ARP, beware the administrative burden though!

PVLAN attack

Consider putting non-matching MAC and IP information into an ethernet frame. The MAC being the one of an adjacent router and the IP being the one of the victim host. The switch having a PVLAN allowes the packet in as it is going to a valid source. The router forwards the packet back to your victim which is on another PVLAN. This unfortunately only works for unidirectional traffic. So consider the following:

IOS(config)#access-l 101 deny ip internalnet/mask internalnet/mask log
IOS(config)#access-l 101 permit ip any any
IOS(config-if)#ip access-group 101 in

SpanningTree Protocol

An attacker being connected to two different switches in a topology enables him to send BPDU messages to the switches, in order to become the root-switch of the tree. It's also possible for him to send a BPDU with priority zero to become the root switch.

On the switches it is advisable to disable STP (in loop free topologies!). You can also enable bpduguard or rootguard on the ports.

VLAN Trunking Protocol (VTP)

Consider switching off this protocol or at least use it authenticated:

IOS(config)#vtp mode transparent

802.1x

To boost edge-security, consider using 802.1x and Extensible Authentication Protocol (ESP). It can authenticate a machine before it allows its access to the network. The authentication can run via Radius in the background and thus integrate different authentication mechanisms.

CISCO Discovery Protocol (CDP)

CDP is used for CISCO devices to talk to each other. Make sure it is really needed in your network and if not, switch it off:

IOS(config)#no cdp run

IOS(config-if)#no cdp enable

Similar on the CatOS:

CatOS> set cdp disable ...

DHCP Starvation

Ever considered starving a DHCP server? And then acting as a DHCP server yourself when all the IPs of the original DHCP-server are gone? You can even provide the Gateway address to the client!

CopyLeft (l) 2003 by Raffael Marty