Essential lockdowns for Layer 2 switch security

Failing to secure your switch architecture is like sending hackers an engraved invitation to attack your network. Yet security administrators often neglect to lock down Layer 2 of their network infrastructure. This comprehensive guide explains the essential procedures that will enable you to properly configure and secure your switch infrastructure.

Many security administrators don't think of security when it comes to Layer 2 of the network infrastructure (where switches operate), and it's one of the most overlooked aspects of network security and reliability.  In this article, I'll show you how to fix the most common mistakes in switch configuration and architecture.  Although I'll use Cisco in my example, the tactics and lessons discussed here apply to any other vendor.  These security procedures are a must for any data network, especially when IP phones are being used.

Enable SSH and disable Telnet

The most obvious password to set on Cisco equipment is the password and enable secret.  If you leave this blank, your switch is wide open and anyone can see and nuke your VLAN configuration.  When you have multiple switches and multiple administrators, it's best to use AAA authentication mode and use a local user database, centralized TACACS+, or RADIUS server for managing all your switches and administrators.  TACACS+ may be more appropriate because it can log all events so that you have a history of all the changes made and who made them in your switch and router infrastructure.  But the most important thing to remember is to avoid using Telnet at all cost and always implement SSH on all of your switches.  Even if you don't have a crypto-enabled software image on your switch, all the current images will still allow you to SSH into your switch.  Always create a unique username and password for each administrator.  Then, you should enable SSH and kill Telnet.

Enable SSH and disable Telnet on Cisco Native IOS

Command Description
username admin1 privilege 15 password 0 Admin-Password Creates an administrator called admin1.  Repeat for every admin.
aaa new-model Sets to AAA mode using a local database.
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name Creates a name used for certificate
crypto key generate rsa Generate digital certificate.  Use at least 768 bit Diffie-Hellman key.
line vty 0 4 go in to vty configuration
transport input ssh only permit SSH login

Enable SSH and disable TELNET on Cisco Catalyst OS

Command Description
set crypto key rsa 1024 Generates a 1024 bit RSA key
set ip permit ssh Explicitly permit SSH only from specified IP range
set ip enable

Note that the Native IOS commands for Cisco Native IOS switches also work on Cisco IOS routers.  Failure to use SSH can result in password theft and grant full control of switching infrastructure to the attacker.

Lock down VTP and SNMP security

It may be hard to believe, but the vast majority of networks I visited during my consulting days did not have the VTP domain password configured in their Cisco switches.  If you leave this default, you might as well hand over the keys to the kingdom and post your entire switch architecture on the World Wide Web for everyone to see.  Use the following commands in "config t" global configuration mode or in the "vlan data" VLAN Database Mode used in older Cisco software images to lock down your VTP configuration.  Be sure to use your own unique strings and IP addresses in place of the sample arguments.

VTP configuration for Cisco Native IOS

Command Description
vtp domain My-VTP-name set the VTP name
vtp password My-VTP-password set the VTP password
vtp pruning turn on VTP pruning

VTP configuration for Cisco Catalyst OS

Command Description
set vtp domain My-VTP-name Set the VTP name
set vtp passwd My-VTP-password Set the VTP password
set vtp pruning enable turn on VTP pruning

You should also set your SNMP (preferably SNMP version 3) secrets, which are effectively passwords.  Check this document for a full guide to Cisco SNMP management.  Here's an example of how to configure an SNMP read-only and read-write server with the appropriate passwords in "config t" global configuration mode.

SNMP configuration for Cisco Native IOS

Command Description
snmp-server community MY-Read-Only-string ro 50 Set read-only string for SNMP requests coming from ACL 50
snmp-server community MY-Read-Write-string rw 51 Set read-write string for SNMP requests coming from ACL 51
access-list 50 permit IP-address-ro Creates ACL of read-only SNMP servers.  More than one permitted.
access-list 51 permit IP-address-rw Creates ACL of read-write SNMP servers.  More than one permitted.

SNMP configuration for Cisco Catalyst OS

Command Description
set snmp community read-only read-only-string Set read-only string
set snmp community read-write read-write-string Set read-write string
set snmp community read-write-all rwo-string Set read-write-all string
If you don't intend to use SNMP at all, you should turn it off on Native IOS with the "no snmp-server" command in global configuration mode.  You can skip all the previous SNMP commands.

Basic port lockdown

Switches should subscribe to the concept of least-privilege like everything else in security.  The best way to set up a switch is to turn off every port when deploying it and turn on the ports as you go.  Furthermore, you should put every port on an unused VLAN that goes nowhere and has no default gateway.  You can create a VLAN labeled "unused" with a designated VLAN number such as 333 and put all your ports on that VLAN.  In the following example, we have a typical Cisco IOS-based 48-port switch.

Basic port lockdown for Cisco Native IOS

Command Description
int range FastEthernet0/1 - 48 Go in to interface 1 - 48
switchport access vlan 333 Sets port to VLAN 333
switchport mode access Turns off auto VLAN trunking
shut Turns off port

Basic port lockdown for Cisco Catalyst OS

Command Description
set vlan 333 1/1-2 Sets sup card ports to VLAN 333
set vlan 333 3/1-48 Sets all blade 3 ports to VLAN 333
set trunk 1/1-2 off Disables trunking on all sup card ports
set trunk 3/1-48 off Disables trunking on all blade 3 ports
set port disable 1/1-2 Turns off all ports on blade 1
set port disable 3/1-48 Turns off all ports on blade 3
Repeat "set vlan/trunk/port" commands for all blades and ports on switch
You will need to do this for all your switches, which may vary depending on the model and OS type.  If you're using some sort of stacking, you're going to have to do it for each stack.  Then, as you plug in servers, you "no shut" the port and set it to the proper VLAN or even convert it to a trunking port if it's actually needed.  When you assign VLANs to servers and workstations, NEVER use VLAN 1, which is the default native VLAN on switches, or whatever VLAN number you manually assigned as native VLAN.  Avoiding the use of the native VLAN on servers, workstations, and other devices will defeat VLAN hopping attacks.  If you don't run through this basic lockdown procedure, all switch ports will be enabled by default on VLAN 1. This is how many people use their switches, and it's a horrible mistake. As you go through each port and connect new devices, you should use the "description My-Port-Name" command in Cisco IOS to label each port properly.  Cisco Catalyst OS uses the "set port name 3/43 My-Port-Name" command to label ports.  This is extremely useful with SNMP reporting servers like Solarwinds or HP OpenView because the port descriptions will be picked up in the reporting.  This is the best form of documentation there is because it actually gets used.

Those who fail to use this basic port lockdown procedure are allowing anyone to trunk into their switch network and connect to any VLAN they want.

VLAN trunking lockdown

Whenever VLAN trunking is used on any port, that trunking port should minimize the number of VLANs to just those to be spanned across the switches.  In the following example, we'll configure a trunk port to permit only VLANs 12-14 and 20-22.

VLAN trunking lockdown for Cisco Native IOS

Command Description
interface GigabitEthernet1/0/2 Enter second gigabit port on Cisco 3750
switchport mode trunk Turns on trunking mode
Switchport trunk encapsulation dot1q Sets trunk type to IEEE 802.1q
switchport trunk allow 12-14, 20-22 Only allow VLANs 12-14 and 20-22

VLAN trunking lockdown for Cisco Catalyst OS

Command Description
Clear trunk 1/1-2 1-1005 Sets sup card ports to VLAN 333
Clear trunk 3/1-48 1-1005 Disables trunking on all sup card ports
Repeat "clear trunk" command for every blade and ever port ...
Set trunk 1/2 12-14 Sets port 1/2 to permit vlans 12-14
Set trunk 1/2 20-22 Sets port 1/2 to permit vlans 20-22

Note that it takes a lot more work to clear the permitted VLAN trunks on a Catalyst OS by default because everything is on by default.  The fact that we specified VLANs 12-14 and 20-22 on Catalyst OS doesn't mean anything because it's merely added to the bigger pool of 1-1005, which is on by default.  On Cisco Native IOS, every VLAN is blocked until otherwise specified.

Failure to lock down the permitted VLANs on a trunk means it's possible for connected devices to connect to more VLANs than you may want.

STP BPDU and Root guard

Hackers can play all sorts of nasty tricks by sending BPDU traffic, which can force VLAN STP (spanning tree protocol) recalculations that take at least 30 seconds to clear. This allows them to perform DoS (denial of service) attacks indefinitely.  They can also hijack traffic by pretending to be the STP root.  BPDU guard and Root guard can prevent these sorts of attacks.

STP BPDU and Root guard for Cisco Native IOS

Command Description
spanning-tree portfast bpduguard Enables BPDU guard on the switch
spanning-tree guard root Enables Root guard on the switch
spanning-tree rootguard Alternative command for some IOS versions

STP BPDU and Root guard for Cisco Catalyst OS

Command Description
set spantree portfast bpdu-guard enable Enables BPDU guard on the switch
set spantree guard root 1/1-2 Enables Root guard on blade 1
set spantree guard root 3/1-48 Enables Root guard on blade 3
Repeat "set spantree guard root" command for every blade/port ...

Note that you must disable root guard and BPDU guard on ports that connect to other switches. Failure to implement this security feature will permit hackers to run BPDU denial of service on the entire switch infrastructure and to possibly intercept switch traffic.

Prevent CAM table and DHCP bombing

Hackers can take advantage the fact that there's a finite number of MAC and IP addresses that switches and DHCP servers can hold.  The hacker can change his MAC address to request multiple DHCP addresses from a DHCP server and use up every single IP address in the DHCP pool.  The hacker can also change his MAC address very rapidly to quickly fill up the CAM table on any Ethernet switch.  Once the CAM table fills up on an Ethernet switch, it's effectively converted to an Ethernet hub.  Besides massive performance degradation, the switch is forced to broadcast every network transaction on every port, which allows the hacker to eavesdrop on every device on the switch as if he were on a hub.  To prevent CAM table and DHCP starvation attacks, you must configure port security like the following example.

Prevent CAM table and DHCP bombing on Cisco Native IOS

Command Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
switchport port-security Turns on port security
switchport port-security maximum 5 Allow up to 5 MAC addresses
switchport port-security violation protect Drop packets beyond 5 MAC addresses.
switchport port-security aging time 2  
switchport port-security aging type inactivity  
Repeat these steps for all other ports and all other switches

Prevent CAM table and DHCP bombing on Cisco Catalyst OS

Command Description
set port security 1/1-2 enable Enables port security on all blade 1 ports
set port security 3/1-48 enable Enables port security on all blade 3 ports
set port security 1/1-2 port max 5 Allow 5 MAC addresses on blade 1
set port security 3/1-48 port max 5 Allow 5 MAC addresses on blade 3
set port security 1/1-2 violation protect Drop packets beyond 5 MAC addresses.
set port security 3/1-48 violation protect Drop packets beyond 5 MAC addresses.
set port security 1/1-2 age 2  
set port security 3/1-48 age 2  
set port security 1/1-2 timer-type inactivity  
set port security 3/1-48 timer-type inactivity  
Repeat these commands on all other blades and ports

Note that you must disable port security on ports that connect to other switches.

Prevent DHCP, MAC, and IP spoofing

ARP and IP spoofing allow the hacker to pose as someone else in order to hijack traffic.  DHCP spoofing allows an attacker to put unsuspecting clients on an Ethernet segment under a bogus IP range that must flow through the attacker to get to the rest of the network.  All three methods are designed to hijack the flow of network traffic so that the attacker can sniff out all sorts of secrets on the internal LAN.  You can prevent these attacks by implementing DHCP snooping, Dynamic ARP inspection, and IP Source Guard.

Prevent DHCP, ARP, and IP spoofing on Cisco Native IOS

Global Commands Description
ip dhcp snooping vlan 1-1000 Turn on DHCP snooping for VLANs 1-1000
ip dhcp snooping Turn on DHCP snooping
no ip dhcp snooping information option  
ip arp inspection vlan 1-1000 ARP inspection on VLAN 1-1000
ip arp inspection log-buffer entries 1024  
ip arp inspection log-buffer logs 1024 interval 10  
Host Interface Commands Description
int range FastEthernet 0/1 - 48 Go in to interface 1 - 48
no ip arp inspection trust Locks down host ports for ARP
ip arp inspection limit rate 15 Sets ARP pps inspection rate
ip verify source vlan dhcp-snooping Turns on IP Source Guard
DHCP client Interface Commands Description
no ip dhcp snooping trust Don't allow DHCP server
ip dhcp snooping limit rate 10 Limits rate of DHCP requests
Only use the following commands for trusted DHCP ports and ports that link to other trusted switches.  The commands below will reverse some of the commands above.  Failure to run the following commands for valid switch interconnects and DHCP servers will break the network and DHCP.
DHCP servers Interface Commands Description
ip dhcp snooping trust This port allows DHCP servers
Switch Interface Commands Description
ip arp inspection trust Unlocks port used to connect to trusted switches

Note that Cisco Catalyst OS does not support these anti-spoofing features, so it's a good idea to migrate your big CAT OS switches to Native IOS.  This does mean that you will have to merge your MSFC router with the CAT OS switch into a single Native IOS image.

Anti-spoofing is an extremely important component in Layer 2 defenses and hardens the switch infrastructure from internal LAN threats.  Internal threats should be taken just as seriously as external threats because a single workstation that's compromised by malware and rootkit turns an external threat into an internal threat.

Limit the size of STP domains

This is one aspect of switch architecture that is often overlooked.  A single STP (spanning tree protocol) domain should never be permitted to grow too large or get overly complex.  I have been on campuses where a single user took down an entire campus with thousands of computers and IP telephones just by accidentally plugging in a small desktop switch and then accidentally looping a CAT-5 cable back into itself.  The same network had mysterious campus-wide VLAN disruptions whenever something in the STP domain issued a BPDU request that caused an STP recalculation, which locked up the entire campus for 30 seconds at a time throughout the entire day.  The disruptions to the data network were bad enough, but it took the IP telephony infrastructure down as well. Hundreds of people couldn't do their jobs because they had no data or phone access.

To avoid oversized and overly complicated STP topologies, you must route traffic instead of switching traffic.  Realistically, this means you must use Layer 3 capable switches instead of Layer 2 switches that only know how to switch traffic and not route traffic.  This also means that VLANs can't span across switches that don't belong in the same STP switching domain.  These kinds of architectural changes may mean a fundamental redesign of the entire campus LAN, and it's not something to be taken lightly, but these issues must be considered before the deployment of any IP telephony system.

Maintain the switch software to the latest stable build

One of the biggest and most common sins in network security is that people assume the switch and routing infrastructure is the same as plumbing and that you never need to touch it.  But if you're running a Cisco switch or router on a software image that is more than half a year old, you probably have some kind of security vulnerability on your router or switch.  It's sad to say, but I've seen people run three- or four-year-old software images on their Cisco equipment and think nothing of it.

ALWAYS update your networking equipment just like your client and server computers with the latest stable software from your hardware vendor and keep an eye out for updates.  All network and security engineers should be asking themselves "When was the last time I upgraded the software on my network equipment?"  Work out a plan of action that includes an immediate and a longterm plan and present it to management.  Be proactive and don't wait for an incident to occur before acting.

Final thoughts

Layer 2 security is one of the most overlooked aspects of information security and is often missed in security audits, especially when those audits focus more on policy rather than actual implementation.  Hackers don't care about policies, and they will take advantage of any security hole available to them.  Layer 2 attacks are one of the first things a hacker will deploy after getting root of a single computer inside the network.  One other aspect of Layer 2 attacks that's often overlooked are companies that implement VPN-based Wireless LAN security.  Once unauthenticated, anonymous clients are allowed onto an access point, which is typically connected directly to an internal switch and segmented by VLAN, you can forget about Layer 2 security. It's very difficult to limit the number of MAC addresses coming from an access point.  For this reason it is highly recommended that VPN-based wireless LAN security should be shunned for 802.1x-based wireless LAN security.  TechRepublic offers its "Ultimate guide to enterprise wireless LAN security" in the form of 10 free articles.  The guide is also available in a downloadable PDF format, which requires free registration.

Beyond these lockdown procedures is the next step in Layer 2 Switch security, which is the wired version of wireless LAN 802.1x security.  Fortunately, the same infrastructure used for wireless LAN authentication also works for wired authentication.  Port-based security basically says that we won't let you on our Layer 2 switch infrastructure, even if you plug into a port, until you prove who you are and that you're authorized to get onto the network.  Although many corporations have implemented 802.1x wireless LAN security, not many have implemented the wired version of 802.1x.  Windows XP automated wireless LAN 802.1x configuration but did not automate wired LAN 802.1x configuration.  This is about to change with Vista, which automates wired and wireless LAN 802.1x configurations.

In addition to the 802.1x enhancements made, Vista also adds a NAP (Network Access Protection) client, which is Microsoft's version of the NAC (Network Access Control) standard.  NAP or NAC takes the concept of 802.1x port-based security one step further by not only demanding authentication and authorization from the client before they're allowed on the network, but also by assessing the health of the client.  If a client can prove who they are and that they're authorized on the network, they must still prove that they are healthy.  NAC health is usually defined as fully patched for security vulnerabilities, proper host-based firewall implementation, and up-to-date antivirus definitions.  If an authorized client computer fails the health test, they are put into quarantine on an isolated network until they remediate themselves with the proper updates.

The ideal network of today implements all of the lockdown procedures mentioned in this article.  The ideal network of tomorrow will implement everything in this article in addition to NAP/NAC.