SECURE ALL THE SWITCHES! Part 1: Port Security
In our past Network Takedown series we covered how to own a network using a switch’s default security configuration. In our new SECURE ALL THE SWITCHES! series we will be covering in-depth countermeasures that you can deploy in your network to help defend against network switch pwnage.
Part 1: Port Security
A CAM table overflow attack is an attack on a switch’s limited size CAM table (surprise!). Basically an attacker can spam your switch with enough MAC addresses that it overruns the switch’s limited content addressable memory assigned to storing MAC addresses, in the case of our lab switch it can only maintain a table of 8192 addresses. Once the CAM table (also referred to as the MAC address table) is full the switch’s failover is to treat traffic from all new devices similar to the way a hub handles traffic, spam it to all its ports. Special consideration will also have to be taken when working with ports connected to a wireless access point depending on which vendor you use. With traffic being spammed to all of the ports the attacker could simply set up a packet capture and listen in on all the conversations flowing over the network.
The Defense Plan:
Thankfully a CAM table overflow attack is a fairly easy one to stop, but it does require some leg work. The best way to stop an attacker from overflowing your switch is to simply limit the amount of MAC addresses allowed per port on your switch ports down to a logical amount, typically a number around 5 addresses. In addition you can limit the amount of mac addresses allowed over your trunk ports to other switches. This will require some research on your end because you do not want to set the number of allowed MAC addresses too low on your access ports or trunk ports and cause legitimate traffic to be blocked. Things to consider: Do you have IP phones on your network that you string clients through? Do you allow the use of 5-port unmanaged switches in your network (naughty you!)? Do you have clients with virtual machines? In the end, even if you are fairly liberal with the amount of addresses you allow, you will still be blocking an attacker from overflowing your CAM table.
A Cisco Network Switch running a semi-new version of IOS. I will be using a Cisco 2960S in this series.
For Access Ports:
An access port is the front line of your network defense, thus most of our time will be spent with the various port security options and what they can do for you in securing your network.
The basic port security configuration looks like this:
In order for you to configure port security on an access (edge port) you need to setup the port as access at which point you can apply the switchport port-security command. This configuration turns on port security and sets the port security options to default. The default options are to limit the port to one MAC address and to shut down the port on violation. This can be confirmed by issuing the show port-security int gig 1/0/1 command.
In order to allow more than one MAC address on a port a modification will need to be made in the port-security configuration as well.
Additionally we can tell the switch what we want it to do when the amount of allowed MAC address is exceeded.
Shutdown – (default) shuts the port down until the administrator issues a shut/no shut.
Shutdown vlan – shuts down access to the specific vlan that exceeded the maximum allowed MAC addresses instead of the entire port.
Protect – Allows network access up to and including the set maximum number of MAC addresses, but blocks anything above that number.
Restrict – Works just like protect, but logs the violation.
My personal favorite is Restrict, mostly because you aren’t spending all of your time re-enabling switch ports that exceeded the maximum allowed MAC addresses while not allowing for CAM table shenanigans.
Lastly you can specify a MAC address as one of the allowed MAC addresses on the port to always allow a specific device access independent of what else is connected to the port.
For Trunked Ports:
Trunk ports or switch uplink ports as they are often called are configured differently from individual access (edge) ports. The main difference is that you have to configure the amount of allowed MAC addresses over the link based on individual vlans. Again, remember that you can have hundreds, sometimes thousands of devices connected on the other side of a trunked port.
Once everything is configured you can view the ports that have port security enabled with the show port-security command.
You can also view the addresses associated with each port by issuing the show port-security address command.
That’s it for today, but stay tuned for Part 2 of the SECURE ALL THE SWITCHES! series which will cover the joys of DHCP snooping and how it can help defend against rogue DHCP servers.