Securing Cisco LANs

Security at Layer 2 is often neglected. Yet, having an open data link layer is like sending an invitation to everybody to hack into your network. Here are some simple "best practice" measures (also some not related to Layer 2) you can take so that attacks don't do damage to your network.

Disable Telnet and enable SSH; secure the management protocol

Telnet is a management protocol that should never be used on production environments. It's main weakness is that it's not encrypted. Someone sniffing your traffic could gain knowledge about your credentials and network configuration.

Example for doing this on a Catalyst switch running IOS:

router(config)# hostname router
router(config)# ip domain-name domain
router(config)# aaa new-model
router(config)# username cisco password cisco
router(config)# crypto key generate rsa
router(config)# access-list 10 permit # the IP of your management console
router(config)# line vty 0 4
router(config-line)# transport input ssh
router(config-line)# access-class 10 in

This also permits only your management station to login to the switch (access-list 10).
Don't use other unencrypted protocols eighter, like SNMP v1 or v2, FTP of TFTP.

Software updates

Keep your switch/router/firewall software updated. In every update security holes are resolved. IOS images or ASA/PIX software can be found in You need a CCO account though; this isn't a problem if your organisation is a Cisco customer.

Don't use VLAN 1 for any purpose

VLAN 1 is the VLAN where switch ports are asigned by default, protocols like CDP, VTP and PAgP where designed to communicate. That's why sometimes VLAN 1 spans across the whole network if not carefully pruned. A few recommendations:

- don't use VLAN for regular traffic. Prune VLAN 1 (including shutdown and not connected ports):

switchport trunk pruning vlan {add | except | none | remove} vlan-list [,vlan[,vlan[,,,]]

- don't use VLAN for inband management; dedicate another VLAN for management. Apply ACLs to this VLAN to allow SSH traffic only from the administrator's management systems;
- don't configure the management VLAN on ports that don't require it;
- the most secure, yet expensive, is out-of-band management. Deploy it where it's worth;
- use a VLAN other than VLAN 1 as native vlan. Set all your trunk ports to this native VLAN. This also mitigates VLAN hopping attacks:

switchport trunk native vlan vlan-id

Disable unused services that can favour attacks

Disable Dynamic Trunking Protocol (DTP). If enabled can permit VLAN hopping attacks:

switch(config-if)# switchport nonegotiate

Disable Cisco Discovery Protocol (CDP). Besides the information this could give to an attacker there were some IOS versions that had a vulnerability that allowed Cisco devices to run out of memory or even crash. Here's how to disable it:

switch(config-if)# no cdp enable

Turn off VLAN Trunking Protocol (VTP) if not used. If you must use it use MD5 authentication to protect the message exchange between switches. To turn it off put it in transparent mode on all switches:

switch(config)# vtp mode transparent

To set the VTP password:

switch(config)# vtp password your_password

Use port security

In ARP attacks the intruder obtains IP addresses and other information and then uses it to issue the attack. Using port security you are able to specify the number of MAC addresses or the specific MAC address allowed to connect through the port. Enabling port security and example:

switch(config)# set port security port enable
switch(config)# switchport port-security maximum 5
switch(config)# switchport port-security aging time 2
switch(config)# switchport port-security aging type inactivity

This prenvents also CAM table attacks.
As the functionality/security ratio drops significantly you may want to use this only on server ports.

Use DHCP snooping

The easiest way of doing a Denial Of Service attack on a LAN is to activate a DHCP server that intercepts legitimate user's DHCP requests. In most cases though this happens when an inocent user mistakingly activates the DHCP server on his host. DHCP snooping is a feature that filters untrusted DHCP messages and builds a DHCP snooping binding table.

You can find out how to configure it here:

Dynamic ARP inspection

A client is allowed to send an unsolicited ARP reply thus poisoning the ARP tables of the routers. The information is stored by other hosts in the subnet. An attacker could use this behaviour to "hijack" the traffic. The countermeasure to this attack is to use dynamic ARP inspection.
Dynamic ARP inspection uses the DHCP snooping binding table to allow only those IP-MAC pairs found in the table. Of course you must configure first DHCP snooping otherwise there would be no binding table to use.
To enable ARP inspection:

switch(config)# ip arp inspection vlan vlan-range

Trust interfaces connected to other switches:

switch(config)# ip arp inspection trust

Mitigate spoofing attacks - IP source guard

If IP source guard is activated the switch doesn't learn the MAC address from the device, but from the DHCP snooping binding table. It operates like dynamic ARP inspection but it looks at every packet not just ARP packets.
To activate IP source guard with source IP address filtering:

switch(config-if)# ip verify source

To activate IP source guard with source IP and MAC filtering:

switch(config-if)# ip verify source port-security

STP attack mitigation - BPDU Guard, Root Guard

BPDU guard - disables ports using portfast upon detection of a BPDU message on the port:

switch(config-if)# spanning-tree bpduguard enable

Root guard - disables ports who would become the root bridge due to their BPDU

switch(config-if)# spanning-tree guard root

BPDU filter - ports configured with BPDU filter will not send BPDUs and drop all received BDPUs:

switch(config-if)# spanning-tree bpdufilter enable

Preventing broadcast storms

A broadcast storm occurs when broadcast or multicast packets flood a subnet degrading network performance. Enabling broadcast supression:

switch(config-if)# broadcast suppression threshold

Implement 802.1x

802.1x provides an authentication system for devices wishing to attach to a LAN port. Basically only authenticated systems can access the network; the authentication could be even Windows domain credentials. I won't detail it here; this would be the subject of a later article.

Filtering routing protocol updates

Routing protocol updates towards the LAN make no sense as you don't have any routers requiring them. Only hackers could make use of them gaining knowledge of your network. This can be activated on all interfaces by default and disabled only on those interfaces that need it. Here's an example of OSPF:

router(config-router)#passive-interface default
router(config-router)#no passive-interface fastEthernet 0/2

With this only interface f0/2 will exchange routing updates.

If you think of other attacks and measures to mitigate them please post it and I can update the article with new stuff.

Follow by Email

Sponsored Links