CCIE network engineers must know:Introduction of Ethernet Switch Security Function
Switches, as the most common equipment in local area networks, face major security threats. Some of these threats are aimed at vulnerabilities in switch management, and attackers try to control the switch; some are aimed at switch functions, where attackers try to disrupt the normal operation of the switch, so as to achieve the purpose of destroying or even stealing data.
There are several types of attacks against switches:
- Attacks on switch configuration/management
- MAC flood attack
- DHCP spoofing attack
- MAC and IP spoofing attacks
- ARP spoofing
- VLAN hopping attack
- STP attack
- VTP attack
- Access security of the switch
In order to prevent the switch from being detected or controlled by attackers, basic security must be configured on the switch
- Use a qualified password
- Use ACL to restrict management access
- Configure system warning terms
- Disable unwanted services
- Close CDP
- Enable system log
- Use SSH instead of Telnet
- Turn off SNMP or use SNMP V3
Second, the port security of the switch
The switch relies on the MAC address table to forward data frames. If the MAC address does not exist, the switch forwards the frame to each port on the switch (flooding). However, the size of the MAC address table is limited. MAC flooding attacks take advantage of this limitation Bomb the switch with fake source MAC addresses until the switch’s MAC address table becomes full. The switch then enters a mode called “Fail-open” (Fail-open) and begins to work like a hub, broadcasting data packets to all machines on the network. Therefore, the attacker can see all frames sent to another host without a MAC address table entry. To prevent MAC flooding attacks, you can configure port security features, limit the number of valid MAC addresses allowed on the port, and define the port’s actions when an attack occurs: shutdown, protection, and restriction.
- DHCP Snooping-Anti-DHCP Spoofing
When the switch enables DHCP-Snooping, it will listen to DHCP messages, and can extract and record the IP address and MAC address information from the received DHCP Request or DHCP Ack messages. In addition, DHCP-Snooping allows a certain physical port to be set as a trusted port or an untrusted port. Trusted ports can receive and forward DHCP Offer messages normally, while untrusted ports will discard the received DHCP Offer messages. In this way, the shielding effect of the switch against the fake DHCP Server can be completed to ensure that the client obtains an IP address from a legal DHCP Server.
- The main function of dhcp-snooping is to isolate illegal dhcp servers by configuring untrusted ports.
- Cooperate with switch DAI to prevent the spread of ARP virus.
- Establish and maintain a dhcp-snooping binding table. This table is generated by the ip and mac addresses in the dhcp ack packet, and can be manually specified. This table is the basis for subsequent DAI (dynamic arp inspect) and IPSource Guard. These two similar technologies use this table to determine whether the ip or mac address is legal to restrict users from connecting to the network.
- Isolate illegal DHCP servers by establishing trusted ports and untrusted ports. The trusted port normally forwards DHCP data packets. The untrusted port receives the DHCP offer and DHCPACK from the server in response to packet loss instead of forwarding.
Four, DAI-prevent ARP spoofing
Dynamic ARP inspection (Dynamic ARP Inspection, DAI) can prevent ARP spoofing, it can help ensure that the access switch only transmits “legal” ARP request and response information. DAI works based on DHCP Snooping. DHCP Snooping monitors the binding table, including the binding information of IP address and MAC address, and associates it with a specific switch port. DAI-Dynamic ARP Inspection can be used to check All ARP requests and responses (active ARP and non-active ARP) of untrusted ports ensure that the response comes from the true MAC owner. The switch determines whether it is the true MAC owner by checking the DHCP binding information recorded in the port record and the IP address of the ARP response. Illegal ARP packets will be rejected.
DAI is configured for VLAN. For interfaces in the same VLAN, DAI can be turned on or off. If the ARP packet is received from a trusted interface, no check is required; if the ARP packet is from an untrusted interface If the packet is received on the Internet, the packet can only be forwarded if the binding information is proven legal. In this way, DHCP Snooping is also essential for DAI. DAI is used dynamically, and the connected client host does not need to change any settings. For servers that do not use DHCP, individual machines can be implemented by statically adding a DHCP binding table or ARP access-list.
In addition, the frequency of ARP request messages on a certain port can be controlled through DAI. Once the ARP request frequency exceeds the preset threshold, the port will be closed immediately. This function can prevent the use of network scanning tools, and it can also block viruses or attacks with a large number of ARP message characteristics.