Although security attacks on networks are not new events, attacks that use
Layer 2 to bypass VLAN restrictions are quickly gaining sophistication and
popularity. To mitigate the effects of these attacks as much as possible, the
following precautions are recommended:
- Manage switches as securely as possible. Use SSH if possible, or an
out-of-band management system. Avoid the use of clear text management protocols
such as Telnet or SNMP Version 1.
- Use IP-permit lists to restrict access to management ports.
- Selectively use SNMPv3 and treat community strings like root passwords.
- When SNMPv3 is used as a management protocol, restrict management access to
the VLAN so that entities on untrusted networks cannot access management
interfaces or protocols. Consider using DHCP snooping and IP source guard to
mitigate DHCP starvation attacks.
- Always use a dedicated VLAN ID for all trunk ports.
- Avoid using VLAN 1.
- Set all user ports to non-trunking mode.
- Deploy port security where possible for user ports. When feasible,
configure each port to associate a limited number of MAC addresses.
Approximately two to three MAC addresses should be adequate in most situations.
This will mitigate MAC flooding and other network attacks. Alternatively,
deploy dynamic port security using DHCP snooping along with Dynamic ARP
Inspection (DAI).
- Have a plan for the ARP security issues in the network. Consider using DHCP
Snooping along with Dynamic ARP Inspection and IP source guard to protect
against MAC spoofing and IP spoofing on the network.
- Use VLAN ACLs (VACLs) to prevent rogue DHCP servers by limiting replies to
DHCP clients to valid DHCP servers on the network. A more flexible approach
would be to use DHCP snooping to block unauthorized DHCP servers from
responding to DHCP Request packets.
- Enable STP attack mitigation with BPDU Guard and Root Guard.
- Use private VLANs where appropriate to further divide Layer 2 networks.
- Use Cisco Discovery Protocol (CDP) only where appropriate.
- Disable all unused ports and put them in an unused VLAN. This setup
prevents network intruders from plugging into unused ports and communicating
with the rest of the network.
- Use Cisco IOS Software ACLs on IP-forwarding devices to protect Layer 2
proxy on private VLANs.
- Eliminate native VLANs from 802.1q trunks.
- Use VTP passwords to authenticate VTP advertisements.
- Consider using Layer 2 port authentication, such as 802.1x, to authenticate
clients attempting connectivity to a network.
- Procedures for change control and configuration analysis must be in place
to ensure that changes result in a secure configuration. This is especially
valuable in cases where several organizational groups may control the same
switch, and even more valuable in network security deployments where even
greater care must be taken.
Many of the above features are available in Cisco Catalyst switches.
Figure
details the
availability of some the features discussed in this lesson in the switches
listed across the top row.