This article is also available as a PDF download.
Many security administrators don't think of security when it comes to Layer 2 of the network infrastructure (where switches operate), and it's one of the most overlooked aspects of network security and reliability. In this article, I'll show you how to fix the most common mistakes in switch configuration and architecture. Although I'll use Cisco in my example, the tactics and lessons discussed here apply to any other vendor. These security procedures are a must for any data network, especially when IP phones are being used.
Enable SSH and disable Telnet
The most obvious password to set on Cisco equipment is the password and enable secret. If you leave this blank, your switch is wide open and anyone can see and nuke your VLAN configuration. When you have multiple switches and multiple administrators, it's best to use AAA authentication mode and use a local user database, centralized TACACS+, or RADIUS server for managing all your switches and administrators. TACACS+ may be more appropriate because it can log all events so that you have a history of all the changes made and who made them in your switch and router infrastructure. But the most important thing to remember is to avoid using Telnet at all cost and always implement SSH on all of your switches. Even if you don't have a crypto-enabled software image on your switch, all the current images will still allow you to SSH into your switch. Always create a unique username and password for each administrator. Then, you should enable SSH and kill Telnet.
Enable SSH and disable Telnet on Cisco Native IOS
|username admin1 privilege 15 password 0 Admin-Password||Creates an administrator called admin1. Repeat for every admin.|
|aaa new-model||Sets to AAA mode using a local database.|
|aaa authentication login default local|
|aaa authorization exec default local|
|aaa authorization network default local|
|aaa session-id common|
|ip domain name MyDomain.com||Creates a name used for certificate|
|crypto key generate rsa||Generate digital certificate. Use at least 768 bit Diffie-Hellman key.|
|line vty 0 4||go in to vty configuration|
|transport input ssh||only permit SSH login|
Enable SSH and disable TELNET on Cisco Catalyst OS
|set crypto key rsa 1024||Generates a 1024 bit RSA key|
|set ip permit 10.0.10.0 255.255.255.0 ssh||Explicitly permit SSH only from specified IP range|
|set ip enable|
Note that the Native IOS commands for Cisco Native IOS switches also work on Cisco IOS routers. Failure to use SSH can result in password theft and grant full control of switching infrastructure to the attacker.
Lock down VTP and SNMP security
It may be hard to believe, but the vast majority of networks I visited during my consulting days did not have the VTP domain password configured in their Cisco switches. If you leave this default, you might as well hand over the keys to the kingdom and post your entire switch architecture on the World Wide Web for everyone to see. Use the following commands in "config t" global configuration mode or in the "vlan data" VLAN Database Mode used in older Cisco software images to lock down your VTP configuration. Be sure to use your own unique strings and IP addresses in place of the sample arguments.
VTP configuration for Cisco Native IOS
|vtp domain My-VTP-name||set the VTP name|
|vtp password My-VTP-password||set the VTP password|
|vtp pruning||turn on VTP pruning|
VTP configuration for Cisco Catalyst OS
|set vtp domain My-VTP-name||Set the VTP name|
|set vtp passwd My-VTP-password||Set the VTP password|
|set vtp pruning enable||turn on VTP pruning|
You should also set your SNMP (preferably SNMP version 3) secrets, which are effectively passwords. Check this document for a full guide to Cisco SNMP management. Here's an example of how to configure an SNMP read-only and read-write server with the appropriate passwords in "config t" global configuration mode.
SNMP configuration for Cisco Native IOS
|snmp-server community MY-Read-Only-string ro 50||Set read-only string for SNMP requests coming from ACL 50|
|snmp-server community MY-Read-Write-string rw 51||Set read-write string for SNMP requests coming from ACL 51|
|access-list 50 permit IP-address-ro||Creates ACL of read-only SNMP servers. More than one permitted.|
|access-list 51 permit IP-address-rw||Creates ACL of read-write SNMP servers. More than one permitted.|
SNMP configuration for Cisco Catalyst OS
|set snmp community read-only read-only-string||Set read-only string|
|set snmp community read-write read-write-string||Set read-write string|
|set snmp community read-write-all rwo-string||Set read-write-all string|
If you don't intend to use SNMP at all, you should turn it off on Native IOS with the "no snmp-server" command in global configuration mode. You can skip all the previous SNMP commands.
Basic port lockdown
Switches should subscribe to the concept of least-privilege like everything else in security. The best way to set up a switch is to turn off every port when deploying it and turn on the ports as you go. Furthermore, you should put every port on an unused VLAN that goes nowhere and has no default gateway. You can create a VLAN labeled "unused" with a designated VLAN number such as 333 and put all your ports on that VLAN. In the following example, we have a typical Cisco IOS-based 48-port switch.
Basic port lockdown for Cisco Native IOS
|int range FastEthernet0/1 - 48||Go in to interface 1 - 48|
|switchport access vlan 333||Sets port to VLAN 333|
|switchport mode access||Turns off auto VLAN trunking|
|shut||Turns off port|
Basic port lockdown for Cisco Catalyst OS
|set vlan 333 1/1-2||Sets sup card ports to VLAN 333|
|set vlan 333 3/1-48||Sets all blade 3 ports to VLAN 333|
|set trunk 1/1-2 off||Disables trunking on all sup card ports|
|set trunk 3/1-48 off||Disables trunking on all blade 3 ports|
|set port disable 1/1-2||Turns off all ports on blade 1|
|set port disable 3/1-48||Turns off all ports on blade 3|
|Repeat "set vlan/trunk/port" commands for all blades and ports on switch|
You will need to do this for all your switches, which may vary depending on the model and OS type. If you're using some sort of stacking, you're going to have to do it for each stack. Then, as you plug in servers, you "no shut" the port and set it to the proper VLAN or even convert it to a trunking port if it's actually needed. When you assign VLANs to servers and workstations, NEVER use VLAN 1, which is the default native VLAN on switches, or whatever VLAN number you manually assigned as native VLAN. Avoiding the use of the native VLAN on servers, workstations, and other devices will defeat VLAN hopping attacks. If you don't run through this basic lockdown procedure, all switch ports will be enabled by default on VLAN 1. This is how many people use their switches, and it's a horrible mistake.
As you go through each port and connect new devices, you should use the "description My-Port-Name" command in Cisco IOS to label each port properly. Cisco Catalyst OS uses the "set port name 3/43 My-Port-Name" command to label ports. This is extremely useful with SNMP reporting servers like Solarwinds or HP OpenView because the port descriptions will be picked up in the reporting. This is the best form of documentation there is because it actually gets used.
Those who fail to use this basic port lockdown procedure are allowing anyone to trunk into their switch network and connect to any VLAN they want.
VLAN trunking lockdown
Whenever VLAN trunking is used on any port, that trunking port should minimize the number of VLANs to just those to be spanned across the switches. In the following example, we'll configure a trunk port to permit only VLANs 12-14 and 20-22.
VLAN trunking lockdown for Cisco Native IOS
|interface GigabitEthernet1/0/2||Enter second gigabit port on Cisco 3750|
|switchport mode trunk||Turns on trunking mode|
|Switchport trunk encapsulation dot1q||Sets trunk type to IEEE 802.1q|
|switchport trunk allow 12-14, 20-22||Only allow VLANs 12-14 and 20-22|
VLAN trunking lockdown for Cisco Catalyst OS
|Clear trunk 1/1-2 1-1005||Sets sup card ports to VLAN 333|
|Clear trunk 3/1-48 1-1005||Disables trunking on all sup card ports|
|Repeat "clear trunk" command for every blade and ever port ...|
|Set trunk 1/2 12-14||Sets port 1/2 to permit vlans 12-14|
|Set trunk 1/2 20-22||Sets port 1/2 to permit vlans 20-22|
Note that it takes a lot more work to clear the permitted VLAN trunks on a Catalyst OS by default because everything is on by default. The fact that we specified VLANs 12-14 and 20-22 on Catalyst OS doesn't mean anything because it's merely added to the bigger pool of 1-1005, which is on by default. On Cisco Native IOS, every VLAN is blocked until otherwise specified.
Failure to lock down the permitted VLANs on a trunk means it's possible for connected devices to connect to more VLANs than you may want.
STP BPDU and Root guard
Hackers can play all sorts of nasty tricks by sending BPDU traffic, which can force VLAN STP (spanning tree protocol) recalculations that take at least 30 seconds to clear. This allows them to perform DoS (denial of service) attacks indefinitely. They can also hijack traffic by pretending to be the STP root. BPDU guard and Root guard can prevent these sorts of attacks.
STP BPDU and Root guard for Cisco Native IOS
|spanning-tree portfast bpduguard||Enables BPDU guard on the switch|
|spanning-tree guard root||Enables Root guard on the switch|
|spanning-tree rootguard||Alternative command for some IOS versions|
STP BPDU and Root guard for Cisco Catalyst OS
|set spantree portfast bpdu-guard enable||Enables BPDU guard on the switch|
|set spantree guard root 1/1-2||Enables Root guard on blade 1|
|set spantree guard root 3/1-48||Enables Root guard on blade 3|
|Repeat "set spantree guard root" command for every blade/port ...|
Note that you must disable root guard and BPDU guard on ports that connect to other switches. Failure to implement this security feature will permit hackers to run BPDU denial of service on the entire switch infrastructure and to possibly intercept switch traffic.
Prevent CAM table and DHCP bombing
Hackers can take advantage the fact that there's a finite number of MAC and IP addresses that switches and DHCP servers can hold. The hacker can change his MAC address to request multiple DHCP addresses from a DHCP server and use up every single IP address in the DHCP pool. The hacker can also change his MAC address very rapidly to quickly fill up the CAM table on any Ethernet switch. Once the CAM table fills up on an Ethernet switch, it's effectively converted to an Ethernet hub. Besides massive performance degradation, the switch is forced to broadcast every network transaction on every port, which allows the hacker to eavesdrop on every device on the switch as if he were on a hub. To prevent CAM table and DHCP starvation attacks, you must configure port security like the following example.
Prevent CAM table and DHCP bombing on Cisco Native IOS
|int range FastEthernet 0/1 - 48||Go in to interface 1 - 48|
|switchport port-security||Turns on port security|
|switchport port-security maximum 5||Allow up to 5 MAC addresses|
|switchport port-security violation protect||Drop packets beyond 5 MAC addresses.|
|switchport port-security aging time 2|
|switchport port-security aging type inactivity|
|Repeat these steps for all other ports and all other switches|
Prevent CAM table and DHCP bombing on Cisco Catalyst OS
|set port security 1/1-2 enable||Enables port security on all blade 1 ports|
|set port security 3/1-48 enable||Enables port security on all blade 3 ports|
|set port security 1/1-2 port max 5||Allow 5 MAC addresses on blade 1|
|set port security 3/1-48 port max 5||Allow 5 MAC addresses on blade 3|
|set port security 1/1-2 violation protect||Drop packets beyond 5 MAC addresses.|
|set port security 3/1-48 violation protect||Drop packets beyond 5 MAC addresses.|
|set port security 1/1-2 age 2|
|set port security 3/1-48 age 2|
|set port security 1/1-2 timer-type inactivity|
|set port security 3/1-48 timer-type inactivity|
|Repeat these commands on all other blades and ports|
Note that you must disable port security on ports that connect to other switches.
Prevent DHCP, MAC, and IP spoofing
ARP and IP spoofing allow the hacker to pose as someone else in order to hijack traffic. DHCP spoofing allows an attacker to put unsuspecting clients on an Ethernet segment under a bogus IP range that must flow through the attacker to get to the rest of the network. All three methods are designed to hijack the flow of network traffic so that the attacker can sniff out all sorts of secrets on the internal LAN. You can prevent these attacks by implementing DHCP snooping, Dynamic ARP inspection, and IP Source Guard.
Prevent DHCP, ARP, and IP spoofing on Cisco Native IOS
|ip dhcp snooping vlan 1-1000||Turn on DHCP snooping for VLANs 1-1000|
|ip dhcp snooping||Turn on DHCP snooping|
|no ip dhcp snooping information option|
|ip arp inspection vlan 1-1000||ARP inspection on VLAN 1-1000|
|ip arp inspection log-buffer entries 1024|
|ip arp inspection log-buffer logs 1024 interval 10|
|Host Interface Commands||Description|
|int range FastEthernet 0/1 - 48||Go in to interface 1 - 48|
|no ip arp inspection trust||Locks down host ports for ARP|
|ip arp inspection limit rate 15||Sets ARP pps inspection rate|
|ip verify source vlan dhcp-snooping||Turns on IP Source Guard|
|DHCP client Interface Commands||Description|
|no ip dhcp snooping trust||Don't allow DHCP server|
|ip dhcp snooping limit rate 10||Limits rate of DHCP requests|
|Only use the following commands for trusted DHCP ports and ports that link to other trusted switches. The commands below will reverse some of the commands above. Failure to run the following commands for valid switch interconnects and DHCP servers will break the network and DHCP.|
|DHCP servers Interface Commands||Description|
|ip dhcp snooping trust||This port allows DHCP servers|
|Switch Interface Commands||Description|
|ip arp inspection trust||Unlocks port used to connect to trusted switches|
Note that Cisco Catalyst OS does not support these anti-spoofing features, so it's a good idea to migrate your big CAT OS switches to Native IOS. This does mean that you will have to merge your MSFC router with the CAT OS switch into a single Native IOS image.
Anti-spoofing is an extremely important component in Layer 2 defenses and hardens the switch infrastructure from internal LAN threats. Internal threats should be taken just as seriously as external threats because a single workstation that's compromised by malware and rootkit turns an external threat into an internal threat.
Limit the size of STP domains
This is one aspect of switch architecture that is often overlooked. A single STP (spanning tree protocol) domain should never be permitted to grow too large or get overly complex. I have been on campuses where a single user took down an entire campus with thousands of computers and IP telephones just by accidentally plugging in a small desktop switch and then accidentally looping a CAT-5 cable back into itself. The same network had mysterious campus-wide VLAN disruptions whenever something in the STP domain issued a BPDU request that caused an STP recalculation, which locked up the entire campus for 30 seconds at a time throughout the entire day. The disruptions to the data network were bad enough, but it took the IP telephony infrastructure down as well. Hundreds of people couldn't do their jobs because they had no data or phone access.
To avoid oversized and overly complicated STP topologies, you must route traffic instead of switching traffic. Realistically, this means you must use Layer 3 capable switches instead of Layer 2 switches that only know how to switch traffic and not route traffic. This also means that VLANs can't span across switches that don't belong in the same STP switching domain. These kinds of architectural changes may mean a fundamental redesign of the entire campus LAN, and it's not something to be taken lightly, but these issues must be considered before the deployment of any IP telephony system.
Maintain the switch software to the latest stable build
One of the biggest and most common sins in network security is that people assume the switch and routing infrastructure is the same as plumbing and that you never need to touch it. But if you're running a Cisco switch or router on a software image that is more than half a year old, you probably have some kind of security vulnerability on your router or switch. It's sad to say, but I've seen people run three- or four-year-old software images on their Cisco equipment and think nothing of it.
ALWAYS update your networking equipment just like your client and server computers with the latest stable software from your hardware vendor and keep an eye out for updates. All network and security engineers should be asking themselves "When was the last time I upgraded the software on my network equipment?" Work out a plan of action that includes an immediate and a longterm plan and present it to management. Be proactive and don't wait for an incident to occur before acting.
Layer 2 security is one of the most overlooked aspects of information security and is often missed in security audits, especially when those audits focus more on policy rather than actual implementation. Hackers don't care about policies, and they will take advantage of any security hole available to them. Layer 2 attacks are one of the first things a hacker will deploy after getting root of a single computer inside the network. One other aspect of Layer 2 attacks that's often overlooked are companies that implement VPN-based Wireless LAN security. Once unauthenticated, anonymous clients are allowed onto an access point, which is typically connected directly to an internal switch and segmented by VLAN, you can forget about Layer 2 security. It's very difficult to limit the number of MAC addresses coming from an access point. For this reason it is highly recommended that VPN-based wireless LAN security should be shunned for 802.1x-based wireless LAN security. TechRepublic offers its "Ultimate guide to enterprise wireless LAN security" in the form of 10 free articles. The guide is also available in a downloadable PDF format, which requires free registration.
Beyond these lockdown procedures is the next step in Layer 2 Switch security, which is the wired version of wireless LAN 802.1x security. Fortunately, the same infrastructure used for wireless LAN authentication also works for wired authentication. Port-based security basically says that we won't let you on our Layer 2 switch infrastructure, even if you plug into a port, until you prove who you are and that you're authorized to get onto the network. Although many corporations have implemented 802.1x wireless LAN security, not many have implemented the wired version of 802.1x. Windows XP automated wireless LAN 802.1x configuration but did not automate wired LAN 802.1x configuration. This is about to change with Vista, which automates wired and wireless LAN 802.1x configurations.
In addition to the 802.1x enhancements made, Vista also adds a NAP (Network Access Protection) client, which is Microsoft's version of the NAC (Network Access Control) standard. NAP or NAC takes the concept of 802.1x port-based security one step further by not only demanding authentication and authorization from the client before they're allowed on the network, but also by assessing the health of the client. If a client can prove who they are and that they're authorized on the network, they must still prove that they are healthy. NAC health is usually defined as fully patched for security vulnerabilities, proper host-based firewall implementation, and up-to-date antivirus definitions. If an authorized client computer fails the health test, they are put into quarantine on an isolated network until they remediate themselves with the proper updates.
The ideal network of today implements all of the lockdown procedures mentioned in this article. The ideal network of tomorrow will implement everything in this article in addition to NAP/NAC.