This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory (CAM) table overflow attacks, and disallowing MAC address spoofing. Other switch-related security topics include port security, Switch Port Analyzer (SPAN), Remote SPAN (RSPAN), VLAN access control lists (VACL), private VLANs, rate limiting, and MAC address notification.
Shared media hubs have largely been eliminated from today's corporate networks, with Ethernet switches taking their place. An Ethernet switch learns the MAC addresses connected off each of its ports. Then, when a frame enters the switch, the switch forwards the frame based on the frame's destination MAC address. However, if the switch does not have the frame's destination MAC address stored in its CAM table (also known as a MAC address table), or if the frame's destination MAC address is a broadcast address of all Fs (that is, FFFF.FFFF.FFFF), the frame is forwarded out all ports other than the port it was received on.
Many Ethernet switches can also logically group ports to form a Virtual LAN (VLAN), where each VLAN is its own broadcast domain. Traffic must be routed to travel from one VLAN to another VLAN.
Cisco Catalyst switches operate at Layer 2 of the OSI model (the Data Link Layer), as illustrated in Figure 6-1. If an attacker were to gain control of an Ethernet switch operating at Layer 2, all the upper layers could be compromised. As a result, Layer 2 switches, such as a series of Cisco Catalyst switches, might appear to be an attractive target of attacks.
Figure 6-1 Compromising Layer 2
Upper Layers Compromised
Ethernet Switch Compromised at Layer 2
Although this chapter explores several advanced approaches to securing Ethernet switches, for now, consider the following basic approaches to Layer 2 protection, which should be applied to switches throughout the network:
Telnet access: Administrators can connect to a Cisco Catalyst switch using Telnet. Unfortunately, Telnet is not a secure protocol. If an attacker intercepted the Telnet packets, he might be able to glean the password credentials necessary to gain administrative access to the switch. Therefore, Secure Shell (SSH) is preferred as an alternative to Telnet, because it offers confidentiality and data integrity. Administrators alternatively can configure the switch via a switch's console port. Therefore, this console port should have physical security (for example, it should be locked away from physical access by a user).
■ SNMP access: Simple Network Management Protocol (SNMP) is often used by a network management station to collect information about network devices. Older versions of SNMP (for example, version 1 and version 2c) lack strong security mechanisms. If these older versions are used, consider allowing SNMP to only read information, rather than read and write information. Alternatively, you might consider using SNMP version 3, which does implement strong security mechanisms.
■ Reducing exposure: Just as server administrators can reduce their server's exposure to attacks by turning off unneeded services, switch administrators can reduce a switch's exposure to attacks by disabling any unneeded services and any unused Ethernet ports. Additionally, administrators can limit the number of MAC addresses that ports can learn.
■ Logging: As with routers, logging attempts to access the switch. Regularly reviewing those logs can alert switch administrators to potential threats.
■ Change control: In enterprise networks, multiple switch administrators might share the responsibility for switch configuration. Therefore, consider a formalized change control policy to better coordinate administrative activity.
■ VLAN configuration: Consider the following recommendations when configuring switch VLANs:
— Configure ports that do not need to form a trunk to a trunk setting of "off," as opposed to "auto."
— Do not send user data over an IEEE 802.1Q trunk's native VLAN.
— Use private VLANs to prevent an attacker from compromising one host in a VLAN and then using that host as a jumping-off point to attack other hosts within the VLAN.
A VLAN hopping attack allows traffic from one VLAN to pass into another VLAN, without first being routed. An attacker could use a VLAN hopping attack to, for example, eavesdrop on traffic that the attacker's PC is supposed to be isolated from or to send traffic to a VLAN that the attacker's PC should not be able to reach. The two main approaches for launching a VLAN hopping attack are switch spoofing and double tagging.
By default, Ethernet trunks on Cisco Catalyst switches carry traffic for all VLANs. Therefore, if an attacker can persuade a switch to go into trunking mode, the attacker could then see traffic for all VLANs. In some cases this type of attack could be used to discover username and password credentials that the attacker could use for a later attack.
Some Cisco Catalyst switch ports default to auto mode for trunking, which means that the ports automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames. An attacker could attempt to make his switch port enter trunking mode either by spoofing DTP frames or by connecting a rogue switch to his switch port. To combat switch spoofing, you can disable trunking on all ports that do not need to form trunks, and disable DTP on ports that do need to be trunks.
Example 6-1 illustrates how to disable trunking on a Cisco Catalyst 3550 switch port, and Example 6-2 demonstrates how to configure a port to act as a trunk port, without the use of DTP.
Example 6-1 Disabling Trunking
Cat3550(config)# interface gigabitethernet 0/3 Cat3550(config-if)# switchport mode access
Example 6-2 Preventing the Use of DTP
Cat3550(config)# interface gigabitethernet 0/4 Cat3550(config-if)# switchport trunk encapsulation dot1q
Cat3550(config-if)# switchport mode trunk Cat3550(config-if)# switchport nonegotiate
Was this article helpful?