Sécurisation au niveau 2 pour certains matériels Cisco

BPDU Guard Bridge Protocol Data Unit Utilisés par switches pour dialoguer entre eux pour établir l’arbre via STP Eviter d’écrouler un réseau en rajoutant un switch mal configuré dans une instannce de spanning tree Eviter du détournement de trafic (root bridge)

IP Source guard Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well. Switch(config-if)# ip verify source vlan dhcp-snooping But be careful! If the DHCP table doesn't have an association for this port, you've just stopped all IP traffic from it. It is recommended that DHCP snooping be turned on a day before enabling IP source guard to allow it to gather information. http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211

Port Security To apply MAC address security, you must turn it on, then configure appropriate options: !Set explicit access mode (dynamic or trunk ports can't have security) Switch(config-if)# switchport mode access !Enable port-security Switch(config-if)# switchport port-security !Specify how many MAC addresses can be used: Switch(config-if)# switchport port-security maximum 1 !Action to take when a violation happens: Switch(config-if)# switchport port-security violation {restrict | shutdown http://www.enterprisenetworkingplanet.com/netsecur/article.php/3462211

C'est quoi CIST ? Catalyst Integrated Security Toolkit Ca contient 3 features de sécurite: DHCP Snooping Dynamic ARP Inspection IP Source Guard

DHCP snooping Your target: stop untrusted devices from acting as a DHCP server is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks. The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2. The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_DHCP_snooping_in_Cisco_Catalyst_switches_running_Cisco_IOS_System_Software http://www.itsyourip.com/cisco/enableconfigure-dhcp-snooping-in-cisco-catalyst-switches-ios/

Enable DHCP Snooping ciscoswitch(config)# ip dhcp snooping Enable DHCP Snooping on VLANs DHCP snooping can be enabled on one or more VLANs or a range of VLANs ciscoswitch(config)# ip dhcp snooping vlan number 100 The above enables dhcp snooping on VLAN 100 To enable on more VLANs ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110 where the DHCP snooping is enabled on VLAN 10-15, 100 and 110 Enable DHCP Option 82 This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046 ciscoswitch(config)# ip dhcp snooping information option

Configure Trust Interface Interface not explcicitly configured as a trust interface is treated as an untrusted interface. ciscoswitch(config)# interface fa0/0 ciscoswitch(config-if)# ip dhcp snooping trust DHCP Snooping Rate limiting (optional) Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive ciscoswitch(config-if)# ip dhcp snooping limit rate 202 Where "202" indicates that the interface can receive "202" messages per second This should configure DHCP Snooping on Cisco IOS switches. Display DHCP Snooping ciscoswitch# show ip dhcp snooping DHCP Snooping is configured on the following VLANs:     10-15 100 110 Insertion of option 82 information is enabled. Interface           Trusted        Rate limit (pps) ———           ——-        —————- FastEthernet2/1     yes            10 FastEthernet2/2     yes            none FastEthernet3/1     no             20 Display DHCP Snooping Binding Table ciscoswitch# show ip dhcp snooping binding MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface ———–     ———–     —————-     —–       —–     ———— 0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

!Turn on snooping for the entire switch: Switch(config)# ip dhcp snooping Switch(config)# ip dhcp snooping vlan [number or range] !Our DCHP server: Switch(config)# interface GigabitEthernet 5/1 Switch(config-if)# ip dhcp snooping trust !An untrusted client (not a required step): Switch(config-if)# interface FastEthernet 2/1 Switch(config-if)# ip dhcp snooping limit rate 10 ! a port is configured as trusted Switch(config)#interface range FastEthernet 2/0/1 - 8 , GigabitEthernet 1/0/1 - 3 Switch(config-if-range)# ip dhcp snooping trust

Dynamic ARP Inspection Validates Address Resolution Protocol (ARP) packets in a network Allows to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings To prevent ARP poisoning attacks Also against DHCP pool leases starvations Protects the network from certain "man-in-the-middle" attacks E.g. Cain & Abel http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/dynarp.html

How it works ? by intercepting all ARP requests and responses Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped. Gratuituous ARP ?

How it works ? DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database. This database is built at runtime by DHCP snooping, provided that it is enabled on the VLANs an DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to prevent a denial of service attackd on the switch in question