Welcome to IE-LAB!

Generic filters
Generic filters

Switch Security Introduction

As the most common device in the LAN, the switch faces a major threat to security.Some of these threats are directed at vulnerabilities in switch management, where an attacker attempts to control the switch;Some are aimed at the function of the switch, and the attacker tries to disrupt the normal operation of the switch, thereby achieving the purpose of destroying or even stealing data.

There are several types of attacks against switches:
  1. Switch configuration/management attack

2, MAC flood attack

3, DHCP spoofing attacks

4, MAC and IP spoofing attacks

5, ARP fraud

6, VLAN jump attack

7, STP attack

8, VTP attack

First, the access security of the switch

In order to prevent the switch from being detected or controlled by an attacker, basic security must be configured on the switch.

1, use a qualified password

2, use ACL to limit management access

3, configure the system warning language

4, disable unwanted services

5, close CDP

6, enable system log

7, use SSH instead of Telnet

8, turn off SNMP or use SNMP V3

Second, the port security of the switch

The switch relies on the MAC address table to forward data frames. If the MAC address does not exist, the switch forwards the frame to each port on the switch (flooding).However, the size of the MAC address table is limited, and the MAC flooding attack exploits this restriction to bomb the switch with a fake source MAC address until the switch MAC address table becomes full.The switch then enters a mode called Fail-open and starts working like a hub, broadcasting packets to all machines on the network.Therefore, an attacker can see all frames sent to another host without a MAC address table entry.To prevent MAC flood attacks, you can configure port security features, limit the number of valid MAC addresses allowed on a port, and define the actions of the port when the attack occurs: shutdown, protection, and restriction.

Third, DHCP Snooping – anti-DHCP spoofing

After DHCP-Snooping is enabled on the switch, DHCP packets are listened to and the IP address and MAC address information can be extracted and recorded from the received DHCP Request or DHCP Ack packets.In addition, DHCP-Snooping allows a physical port to be set to either a trusted port or an untrusted port. The trusted port can receive and forward DHCP Offer packets normally. The untrusted port will discard the received DHCP Offer packets.In this way, the switch can block the fake DHCP server and ensure that the client obtains an IP address from a valid DHCP server.

  1. The main function of dhcp-snooping is to isolate the illegal dhcp server and configure the untrusted port.
  2. Cooperate with switch DAI to prevent the spread of ARP virus.

3.establish and maintain a dhcp-snooping binding table, this table is generated by the ip and mac address in the dhcp ack package, and the second can be manually specified.This table is the basis for subsequent DAI (dynamic arp inspect) and IPSource Guard.These two similar techniques use this table to determine whether the ip or mac address is legal to restrict users from connecting to the network.

4.The trusted DHCP server is isolated by establishing a trusted port and an untrusted port. The trusted port forwards the DHCP packet normally. After the DHCP offer and DHCPACK received by the server received by the untrusted port, the packet is processed and lost.

Fourth, DAI – prevent ARP spoofing

Dynamic ARP Inspection (DAI) prevents ARP spoofing, which helps ensure that the access switch only passes “legal” ARP request and response information.The DAI works based on DHCP snooping. The DHCP snooping listens to the binding table, including the binding information of the IP address and the MAC address, and associates it with a specific switch port.Dynamic ARP Inspection (DAI-Dynamic ARP Inspection) can be used to check ARP requests and responses (active ARP and inactive ARP) for all untrusted ports, ensuring that the response comes from the real MAC owner.The switch determines whether it is the real MAC owner by checking the DHCP binding information recorded by the port and the IP address of the ARP reply. The illegal ARP packet will be rejected.

The DAI is configured for the VLAN. For the interface in the same VLAN, the DAI can be enabled or disabled. If the ARP packet is received from a trusted interface, no check is required;If an ARP packet is received from an untrusted interface, the packet can only be forwarded if the binding information is proven to be legitimate.In this way, DHCP Snooping is also essential for DAI. DAI is used dynamically, and the connected client host does not need to make any changes in settings.For servers that do not use DHCP, individual machines can be implemented by statically adding a DHCP binding table or an ARP access-list.

In addition, DAI can control the frequency of ARP request packets of a port.Once the ARP request frequency exceeds a preset threshold, the port is immediately closed. This feature can prevent the use of network scanning tools, and can also block viruses or attacks with a large number of ARP packet features.

Five, VLAN jump attack

There are two main ways for Vlan jump attacks:

  1. IEEE 802.1q and ISL tag attacks

The IEEE 802.1q and ISL markup attacks mainly utilize the omission of the administrator to not explicitly configure “switch mode access” on the interface.By default, the switch port may be DTP (Dynamic Trunk Protocol) auto or DTP desirable. If an attacker sends a DTP negotiation packet, the interface becomes a trunk port and can receive traffic to any VLAN. As a result, an attacker can communicate with other VLANs through the port being controlled.For this type of attack, simply set all untrusted interface modes to access mode to prevent this attack.

2, double label

The attacker sends a frame with two tags to another switch through a trunk link. After the peer switch strips a tag, there is a tag in the data frame.The switch forwards the packet to the VLAN specified by that tag, and the attacker implements the purpose of accessing another VLAN from one VLAN.For this type of attack, you can set the native VLAN on the trunk link to a non-existing VLAN and prevent data from this VLAN from passing through the trunk link.

For more articles you can follow us on:

error: Content is protected !!
× How can I help you?