Solved

Security feature for Cisco Switch

Posted on 2010-09-14
19
843 Views
Last Modified: 2012-05-10
HI.. All,
     I want to make my network more secure to prevent intruders accessing and sniffing the data.
I will give a sample network scenario. almost 3 offices with 40 users each is working in a site.  There I have 1 3560 and 3 nos 2960 switches.  in 3560, I have 4 VLANS configured.
1. Server VLAN
2. Office 1 VLAN
3. Office 2 VLAN
4. Office 3 VLAN

I am using 1 each 2960 dedicated to an office. There is no trunking betwen 3560 and 2960. Access Port is connected  to each 2960
We have windows 2008 RODC and DHCP Server in Server VLAN and all clients using Dynamic IP.
I want to prevent any third  party to get dynamic IP if he connected to one port, that is used by a dynamic user. ( Some ports are like this, they are not in shutdown state, but the user is away.) If the Thrid party is not getting any IP, he may identify the range and can put manual IP. I want to prevent this users to get access to network also. Please give your suggestions

Thanks,
Peter
0
Comment
Question by:anishpeter
  • 9
  • 8
  • 2
19 Comments
 
LVL 7

Expert Comment

by:myhc
Comment Utility
IPSEC Sercure server.
0
 
LVL 7

Expert Comment

by:myhc
Comment Utility
IPSec Secure Server & Clients would allow you to protect your network from any LAN/WiFI attacks.
0
 
LVL 10

Expert Comment

by:ddiazp
Comment Utility
Cisco offers great features for this type of thing;

you can easily implement:

port-security sticky (to learn mac addresses on each port)
dhcp snooping (prevent rogue DHCP servers from giving out IP addresses - also need to configure your DHCP server port as trusted)
arp inspection (will detect anyone trying to spoof MAC addresses in your network)

Not only you can prevent those things you want, but also be proactive; the switch will send alerts to syslog and disable the port in violation.

Let me know if it interests you and I can show you specific commands, etc



0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi... ddiazp,
     Thats I want. I want specific commands for my scenario
If I put port security stcky command one mac / several  address will bind to one port. If the user moves to another port ( lap top user moves to conference room) it wont work.  Am i right? Then what could I do

For my case"If the Thrid party is not getting any IP, he may identify the range and can put manual IP. I want to prevent this users to get access to network also." Arp inspection with DHCP snoopting will work or not. I have no vlans configured in 2960 Switch ( It is connected to one Access VLAN port of 3560) Then how I configure ARP Inspection. Can you guide me through commands

Peter
0
 
LVL 10

Accepted Solution

by:
ddiazp earned 500 total points
Comment Utility
Here's the thing; It will be really hard to allow some flexibility for users to move from one office to another while preventing a random person to come in, plug in, and set up static IP, etc.

You can never be 100% secure but here I will show you how to make it the most dificult for an intruder to sneak into your network.

Settings you want to configure on the switch:

1. First and foremost; set every port connecting to an office or end device as an access port with the commands:

interface faX/Xswitchport mode access

You might want to do this on every single port if you have no VLANs (so no need for trunking)

2. execute the following command on the switch to enable dhcp snooping:

ip dhcp snooping

After the above command is typed, go into the interface of the switch that connects to your legitimate DHCP server (let's say it's on fa0/24):

interface fa0/24ip dhcp snooping trust

3. Implement arp inspection after dhcp snooping:

ip arp inspection
4. Limit number of mac addresses per port (for port-security the port must be access mode, see suggestion #1)
interface fa0/Xswitchport port-security maximum # (replace # with the number of MAC addresses allowable to connect to this port)

Try to keep this as low as possible, but allowing some flexibility in rooms where many devices may be plugged in as in conference rooms, etc. These are the targeted rooms when somebody is trying to get into the network so if physical access cannot be controlled, i suggest hard code MAC Addresses on these ports.
5. Dynamically learn MAC Addresses connected on specific ports:

interface fa0/Xswitchport port-security mac-address sticky
if you don't have too many clients, and you have an inventory of MAC  addresses; you can map specific ports to users' MAC addresses and set  the maximum mac addresses to 1.

6. Configure Violation Mode if number of mac addresses exceed the allowable number:

interface fa0/Xswitchport port-security violation restrict (this will increase a counter for number of violations that you can check with 'show switchport port-security interface fa0/X', and also produces log entry)

7. A bit extreme, but you can implement 802.1X (Need to authenticate against RADIUS or TACACS+ before the switch allows communication).

It's got few components to setup (the authentication server and switch), here's the switch configuration; you can configure a windows server 2003 as a radius server (many guides online):
aaa new-modelradius-server host X.X.X.X             ! IP of RADIUS SERVERradius-server key KEY                   ! Replace KEY for the key configured on radius serveraaa group server radius mygroupaaa authentication dot1x default group mygroupdot1x system-auth-controlinterface fa0/Xdot1x port-control auto


Finally, I'm not sure if all these features are available on your 2900 switch; but you should be aware of these possibilities.

0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. ddiazp,
But for ARP inspection command, I found some VLAN to bespecified. Am I right? When I hav no VLAN in 2960, which should I specify?
Also In Wired 802.1X Security, Did you tried with XP SP3 Computer? It is different from SP2. No Computer Authentication credencials are passed by Defaut. We have to manually export Net config to XML and manually edit. Did you tried it?

Thanks,
Peter
0
 
LVL 10

Assisted Solution

by:ddiazp
ddiazp earned 500 total points
Comment Utility
Hi,

In your case, you'll want to do

ip arp inspection vlan 1

if you do 'show vlan brief' you will see all your ports are part of VLAN1


Regarding 802.1X, I'll have to set it up on my lab equipment with an SP3 machine.

0
 
LVL 10

Expert Comment

by:ddiazp
Comment Utility
I have found these nicely put instructions on how to configure the XP SP3 machine:

http://support.microsoft.com/kb/929847/

In short; this is what you need to do:

===================================================================================================
1. Start the Wired AutoConfig service and set it to Automatic. (Can be done on all PCs automatically through group policies)

2. Create Profile by right clicking your network connection, going to the authentication tab and clicking
(These profiles are not machine specific, so you could copy this file and paste it into many machines)

3. Export the profile with: netsh lan export profile folder=c:\

4. Edit XML file like this:

OneX xmlns="http://www.microsoft.com/networking/OneX/v1">   <cacheUserData>false</cacheUserData>   <authMode>machine</authMode>   <EAPConfig>...</EAPConfig></OneX>

5. Add the profile you just edited with: netsh lan add profile filename=PathofXMLFile
===================================================================================================

Good thing is, once you do it on one machine, you can copy the XML profile to many machines, and just execute the command netsh lan add profile filename=PathofXMLFile (Make sure the Wired AutoConfig service is set to auto)

Still somewhat scalable but needs a bit more work; for the full details check out the site I posted above
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. ddiazp,
   I tried this workaround before in one of my sites  and it was almost working in my network for 2 weeks. After it started creating problems like not sending computer credencials and login failed and I revert back the dot1x Scurity in my Switch. I found it is working fine for XP SP2. Anyone had this experience?
Anyway discuss about ARP INspection. Do I need to use ip arp inspection trust command to the interface coonected to 3560 Switch?
Also my 3560 is not connected to any user machines. It is connected to Servers and other 2960s. in this case shall I need to enable ARP inspection in 3560?
My final intention is to,
1. Protect for ARP attack and sniffing others data
2. If one Thirdpary came inside and put one static IP from the used range or use IP of an offline user, he wont be able to get access to network
       Will these work with ARP Inspection alone?

Final issue- Some of my sites,  use unmanaged 8 port swicthes where there is no wiring extended to Main wiring closet.  Here I cannot do ARP inspection in these switches. Any good workaround for this?

Thanks,
Anish
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 10

Assisted Solution

by:ddiazp
ddiazp earned 500 total points
Comment Utility
You won't need arp inspection to your 3560 switch; you can go under safe interfaces and do ip arp inspection trust, or interfaces that won't go into offices (to trusted servers or switches)

Perhaps he issue you had with dot1x in the past was related to your authentication server? Perhaps the ports having issues were connected to users who changed their passwords but their old credentials were cached and therefore authentication failed?

1. With the features i showed before, including the arp inspection, you should be fine against arp attacks, mac flooding, man in the middle attacks, etc,. Once the switch detects any of these activities (switch keeps db of macs, IPs, number of macs on each port etc), the port will be shutdown (see switchport port-security violation restrict). Since you do not have vlans configured, we are not concerned with vlan hopping attacks (users negotiating trunk with switch and sniff traffic from all vlans), or implementing private vlans.

Another feature is IP Source Guard; however I doubt you can run this on your 2900 switch since it's designed for higher end switches -- it builds 'access lists' on ports!! based on observing legit dhcp transactions which would help take care of your concern with #2. However, it's a bit too restrictive as it locks down the port to the mac address and IP negotiated from DHCP.

for IP Source Guard: ip verify source vlan dhcp snooping port-security

2. The only thing that comes to mind is to prevent this is with the port-security mac-address command; arp inspection will prevent him from taking the IP of an offline client if the arp table hasn't expired only. The problem with this scenario is that you can't differentiate a third party person from a legit employee unless you have a list of mac addresses to trust. What you can do is come up with a list of ports that third party people could have access to, and hardcode allowed mac-addresses from your office in those port with the mac-addresses and maximum # that are allowed in those porst. It could be time consuming but it would pay off if the risk is high. Now.. if a third party can spoof an allowed mac-address, he could get inside the network if the MAC address has a reserved IP in DHCP that is not being used; not even ip source guard can help

Remember, if a third party person is very determined to get into your network and they have the time, they will if given physical access to the site


0
 
LVL 10

Expert Comment

by:ddiazp
Comment Utility
For your final issue; the 2900 switch can in fact see all the MAC addresses coming from your 8port switches (you can verify this by doing show mac-address-table); so you can again implement the mac address port security feature and limit the number of mac addresses to 8, with the sticky command so you don't have to hardcode them.
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. ddiazp,
The macaddress binding is almost hard to impliment because all top peoples are moving aroud the office and that why I reverted back the port security I implimentd before. Shall I able to use ip source guard feature without this problem? Dos it work without sticky binding of mac address- means weather it will allow roaming of users.
Another thing "arp inspection will prevent him from taking the IP of an offline client if the arp table hasn't expired only. The problem with this scenario is that you can't differentiate a third party person from a legit employee unless you have a list of mac addresses to trust."
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. ddiazp,
Sorry, the last comment closed accidently. Continued..
The macaddress binding is almost hard to impliment because all top peoples are moving aroud the office and that why I reverted back the port security I implimentd before. Shall I able to use ip source guard feature without this problem? Dos it work without sticky binding of mac address- means weather it will allow roaming of users.

Another thing "arp inspection will prevent him from taking the IP of an offline client if the arp table hasn't expired only. The problem with this scenario is that you can't differentiate a third party person from a legit employee unless you have a list of mac addresses to trust." _ please explain this . I understand ARP table and DHCP snooping table will remain in RAM of switch up to reboot of hardware. If so, is it needed to differenciate the Third party and have a list?

In my network we cannot isolate a place for third parties. Govenment auditors are there all the days and they sometimes do IT audit like the possibilty to hack the data.

Also "the 2900 switch can in fact see all the MAC addresses coming from your 8port switches " you mean I can impliment ARP inspection and "IP Soure guard" with out replacing the 8 port unmanaged switches?

Thanks,
Peter
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi..ddiazp,

I am waiting for your feadback. Please fast

Thanks,
Peter
0
 
LVL 10

Expert Comment

by:ddiazp
Comment Utility
Sorry, I didn't see your replies earlier,..

I suspect you'll have problems with IP Source guard then too; since it works by checking IP addresses on mac address bindings; also im not sure if its available on 2900 switches since its very cpu intensive.

If your network security is a high priority task, then you should by all means acquire the mac address of every single device on your network; to make your life easier although it can be hard to track new purchases, etc.


when doing show arp on a switch you'll notice an 'Age' field,.. stated in minutes; depending on your arp timeout it will expire that entry from cache, default is 4 hours as indicated by cisco (http://www.cisco.com/en/US/docs/ios/ipaddr/command/reference/iad_arp.html):

arp timeoutTo configure how long a dynamically learned IP address and its corresponding Media Control Access (MAC) address remain in the Address Resolution Protocol (ARP) cache, use the arp timeout command in interface configuration mode. To restore the default value, use the no form of this command.arp timeout secondsno arp timeout secondsSyntax Descriptionseconds    Time (in seconds) that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache.Defaults14400 seconds (4 hours)

but you're right about the dhcp snooping table; that one doesn't seem to expire until reboot; but there's a way to even save that table and load it up after reboot, here's an awesome reference for dhcp snooping (http://craigchamberlain.com/library/products/DHCP%20Snooping.pdf).


If isolation of third parties is a possibility you might want to think about assigning those ports to specific VLANs that are only allowed to access the internet using access-lists at layer3 or using VACLs. This might be a smart idea if they are always in the same place.


Regarding your 8port switches in users' offices, arp inspection should be fine, and because source guard uses IPs and MAC addresses, it should be fine too.
0
 
LVL 10

Assisted Solution

by:ddiazp
ddiazp earned 500 total points
Comment Utility
Clarification:

My first sentence: I suspect you'll have problems with IP Source guard then too; since it works by checking IP addresses on mac address bindings

had the wrong idea; it should be fine since port doesn't matter; ip source guard looks at mac and IP.


0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. ddiazp,
Thanks for the detailed explanation. Let me ask you some more  questions before closing then case.
(Cisco 2960 has DAI in IOS 12.53 SE)
  If I am saving DHCP snooping table in TFTP then even expiring or clearing ARP table is an issue? Since I have binding entry , then will it rebuild the ARP table? will be there any disruption/delay for a user to connect other than switch bootup delay?
I find even though the scope and functionality of Dynamic ARP inspection is diffrent from IP source guard , DAI can achieve what IP source guard can give. Can you agree or my findinging is wrong?

My clients has DHCP lease of infinity to and scope is closed. (not to get IP for third party). In that case if i imlimenting DHCP snooping now, will it be populated with my existing leases?

Also Please explain more -if I have an 8 port Dlink unmanaged with is connected to one port of Cisco 2960, and DAI is enabled in 2960, what happenes if a user connects to DLINK.  DHCP snooping will automatically build up or I have to manually add entry in Snooping database? I read some notes that I have to manually add entry. Please check. I am keeping the port untrustd, which is connected to DLINK. I assume someone connected to DLINK can sniff packet of other user connected to DLINK. Correct?


Thanks,
Peter
0
 
LVL 1

Author Comment

by:anishpeter
Comment Utility
Hi.. All,
    I found answers myself of the last quesry.  The saving of snooping table is not mandatory, if the switch is access switch and all entries are from DHCP. But we may have some ststic ip or if the swicth is aggregation, then we need to save the snooping table. I found it is easy to save it in flash otherthan external TFTP. It wont take much space (may be 20KB) in flash.

"My clients has DHCP lease of infinity to and scope is closed. (not to get IP for third party). In that case if i imlimenting DHCP snooping now, will it be populated with my existing leases?" Yes. No problem to populate DHCP entries. When ver the client computer boots up, the entries will be populated in SNOOPING database.

Next Question about unmanaged switches.  There swicthes are always a threat to Secure networking and has to be eliminated at any cost.  Only one workstation connected to DLINK swicth will populate DHCP snooping table and will only work. If you want to add more workststions to unmanaged switch, then you have to manually add snooping entry. But after implimenting DAI, source guard and all , if one user turns hacker tries to sniif data of another user connected to unmanaged switch? Then It is good idea to remove all unmaaged swicthes and extend network cabling end to end from main IDF to user wall jack.  If it is not practical, implimenet Wifi with WPA2 Enterpise with RADIUS security.

Hope I can close the discussion. Thanks for all who partcipated, especially "ddiazp".

Bye,
Peter
0
 
LVL 1

Author Closing Comment

by:anishpeter
Comment Utility
All aspectes L2 Security is discussed here and address almost the concerns
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

There are some basic methods for preventing attacks on, hacking of and unauthorized access to a network -- maybe not completely, but up to a certain level. Start with a well-reputed firewall and unified threat management (UTM) system -- a gateway…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now