Monday, December 24, 2012

Cisco Security Part II - Security at the port level

2. Security at the port level


A switch is used to interconnect different devices: desktops, laptops, servers, printers, other switches and so forth. By granting access to a network, an administrator increases the likelihood of a security breach as well as the vulnerability landscape. Here are three actions that can be performed:

  • Connection a non-approved device. Particularly nowadays with BYOD being teh buzzword, the proliferation of personal devices that can be connected to the network has exploded.
  • Abuse of the port, for example by creating a trunk that allows a device to have access to networks not supposed to be accessed directly.
  • Injection of control frames into the network, for example modification of the spanning-tree topology.
Of course, there are many, many more possible attacks. However, the purpose of this document is not to enumerate everything known to mankind, as by the time this document hits the web, there will already be things to be added.

2.1 Trunk/access

When interconnecting two switches, the need to transmit frames that belong to different virtual LAN (VLAN) may arise. In order to do so, network device vendors came up with different solutions, such as ISL from Cisco. Later, the protocol to transmit multiple VLAN over a single physical connection was standardized by the IEEE as 802.1Q.

Trunking is also used in IP Telephony: the usual setup is to have the PC piggy-back on the phone, which acts as a small switch. The “normal” data traffic is sent and received as-is and the voice traffic is encapsulated within 802.1Q. This gives the ability to separate both traffics and to use additional fields in the 802.1Q header to prioritize the voice traffic over other forms of traffic.

However, if not restricted, this ability can also be a recipe for disaster. For example, if all the ports carry all the VLANs or have the ability to create a trunk, an attacker could leverage that to gain access to other networks by sending tagged frames back to the switch.

In Cisco terminology, a trunk is called a “trunk” port (obvious, isn’t it?) and a non-trunk port is called an “access” port. An access port won’t send any 802.1Q encapsulated frame to the connected device. In the receive direction, the frame will be dropped.

In order to configure a port as an access or a trunk, the command "switchport" needs to be used within the interface:

interface GigabitEthernet 0/10
 switchport mode access

This will instruct the switch to treat the port Gi0/10 as an access port.

Once a port's mode has been set, further configuration is possible. For instance, if the port is an access port, the VLAN on which that port resides can be set with:

switchport access vlan 20

Likewise, a trunk port with native VLAN (defined later) 10 and with tagged VLAN 20 and 30 is configured with:

interface GigabitEthernet0/11
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30

The native VLAN on a trunk is the VLAN in which all the untagged frames received will be placed, and that will be sent untagged. Numerous documents refer to the danger of native VLAN in regard to VLAN hopping or the abuse of Q-in-Q. A good practice is to make sure the native VLAN of all your inter-switch trunks are not assigned to any user VLAN.

2.2 Negotiation of a trunk (DTP)


Cisco switches allow a trunk to be dynamically formed. This means that if you don't force the mode, the connected device can announce itself as a switch and negotiate a trunk. The protocol responsible for this is Dynamic Trunking Protocol or DTP.

With the mode forced to access, the negotiation is automatically stopped. If set to a trunk and if the negotiation is left on, the switch will use DTP to inform its peer it can form a trunk.

To disable the trunk negotiation, the command is

switchport nonegotiate

2.3 Spanning-tree

Spanning Tree is the protocol responsible for negotiating a loop-free topology, even if the physical infrastructure has loops, for example for redundancy. It works by electing a root switch, which will then send specific frames called BPDU (Bridge Protocol Data Unit) that all switches in the topology have to forward following certain rules.

Based on the BPDU and the port it was received, each switch designs a port leading to the root, possibly through other switches, a set of ports that can be used for other connected switches to reach the root, and a set of blocked ports. These are ports the switch could use to reach the root, but with a higher cost.

These BPDUs have multiple roles: they can announce a better path to the root, they are used to hold the root election and they can influence the whole topology.

From what precedes, an attacker can abuse this protocol to either perform a DoS against the network, or forward all the traffic to a specific machine.

When designing a network, it is important to minimize the role of spanning-tree by using other techniques, such as bonding multiple interfaces into a single logical interface called a port-channel or an etherchannel.

When a port comes up, the default behavior is to wait for a certain amount of time, that depends on the version of spanning-tree used, to determine what the status of the port should be (root, designated, blocked). Cisco invented a mechanism to permit the port to start forwarding before that time, called "portfast".

With that came the risk of creating short network loops,until the port got the first BPDU and adopt the relevant state.

2.3.1 bpduguard

Cisco developed a security feature to force a port to go immediately down if a BPDU is received. The BPDU will be dropped as well.

If a port is connected to a phone or a computer, there is no valid reason why a BPDU should be received. On the other hand, if a BPDU is received from a port connected to a user device, this could indicate:

  • an attempt to inject BPDUs into the network, regardless of the reason;
  • an temporary loop in the network due to incorrect network settings on a computer or a connectivity issue;
  • a replay of a previous network capture;
  • and possibly other reasons.
In such an event, a reasonable thing to do is to drop the port to the down state, to prevent further incidents. This is configured on a device interface with:

interface GigabitEthernet 0/12
 spanning-tree bpduguard enable

Upon reception of a BPDU on the port, the state will be err-disable. To correct this,the port needs to be reset (shutdown/no shutdown) or the error recovery mechanism needs to be activated. This latter is not recommended as it will put the port back in service, possibly allowing the activity to resume.

It is also worth to notice that the default for this command has changed between IOS and NX-OS: a show configuration all will display these values.

2.3.2 bpdufilter

In situations where bpduguard is not welcome, for instance on uplinks to a provider, another mechanism exists: bpdufilter. Instead of shutting the port down, bpdufilter drops all bpdus, incoming and outgoing. This has the side effect of splitting the spanning-tree domain in two.

In my past, I had to help an ISP configure it: his switch connected to his clients' frequently had issues. It was found that on some occasions, the spanning-tree root role changed from his internal network to a client's.

However, it needs to be understood that, as spanning-tree is no longer working, topology loops in this situation have to be manually addresed, for instance in the form of a manual activation, or by using techniques that negate the need for spanning-tree, such as etherchannel, or unique VLANs with a L3 redundancy solution.

The configuration looks like bpduguard's:

interface GigabithEthernet0/12
 spanning-tree bpdufilter enable

2.3.3 portfast / port type edge

The spanning-tree protocol mandates that a port goes through various states before being able to forward traffic. During these state, no traffic is received or emitted besides BPDUs.

A way to speed that process is to declare the port as "portfast" or "type edge". It means that spanning-tree will take a shortcut in the states and be able to forward quickly after being turned on.

However, this has to be gauged: on the one hand, this means that a user device will have access to the network sooner, but on the other hand, it permits the creation of temporary loops - until the next BPDU is seen, the link will be up. As soon as a BPDU arrives on the port, the normal spanning-tree decision concerning the port role (root, designated etc) is taken and one end of the loop will be blocked.

An attacker could leverage this fact to create temporary, short lived loops to disrupt the switch operations. If successful, this can create either a switch or topology wide outage.

Other ways of dealing with the timers are possible: one could use rapid spanning-tree and shorten the timers from 2 seconds to 1 for the <Hello> BPDU - as more BPDUs are sent, the expected life of a loop is cut down, limiting the risk or the possibility of perpetrating such an attack. This, however, has to be evaluated as a shorter timer may also increase the risk of instabilities on the network: a transient frame drop on a link can result in flapping between that link and a backup link, possibly amplifying the problem.

2.4 Mac address learning on a port

The role of a switch is to build a table of what mac address resides on what port, and forward frames accordingly. This allows for point-to-point communications between two devices within the same VLAN, without impacting the other connected devices. A way of describing this is to state that the collision domain is limited to the port and the device connected to it.

As the switch has to consult that table binding a MAC to a port for every frame, the memory dedicated is called CAM (Content Addressable Memory), a special type of memory which is in limited quantity in any device.

An attack of the "old days" was to generate many frames with random source MAC address. This caused the switch to learn these in its CAM, filling it to the point that no new entry could be created. Any new MAC would not be learned, and the forwarding process would be for the switch to broadcast a frame to these legit but unknown addresses to all port, transforming the switch into a hub and allowing an attacker to sniff the corresponding traffic.

2.4.1 Number of permitted mac addresses


The first line of defense offered by a switch is to limit the number of MAC addresses permitted on a given port - past the number, the switch will either drop the frame or even shut the port down. MAC address counting works with the VLAN ID included in the learning: the same address seen on the same port but on two different VLANs count as two entries, one per VLAN. This is important to understand when using devices such as IP phones that may start in a VLAN and jump to a different VLAN afterwards.

The question now is: what about forgetting the known addresses? Should the switch keep them forever? Or forward these entries after a certain time?

2.4.2 Sticky Learning

In a static world, a machine is always connected to the same port, and thus the MAC address will always be seen on the same port. In that case, a sticky learning is possible, meaning that the switch will permanently - even across reboots - remember the association.

A nice - or annoying, it depends what your goals are - feature of this memorization is that if a MAC address known on a given port is seen somewhere else as source, the frame will be dropped and a security violation logged.

2.4.3 Aging considerations

However, the world is not static: laptops move from offices to meeting rooms, workstations are installed and reused and so forth. So the concept of sticky learning doesn't work well, or one needs an army of network administrator to prune the entries as machines are being moved.
Another possibility is to enforce a certain time after which the entry will be forgotten. This time is either an idle time (no frame exchanged for a certain period) or absolute (the address is removed even if traffic is seen, leading to a renewal of the learning if need be). 

2.4.4 Actions for violations

As said, the action can be the simple drop of the frame, the drop of the frame plus logging or even to shut the port completely down.

Deciding which one is a matter of policies and will of surfacing the issues - if the only thing happening is the frame being dropped, the event may go unnoticed until a user complains he has a problem. On the other hand, if the port is shut down, a visible trace exists of the event, that can be investigated and acted upon.

2.4.5 Putting it together 

Now, time to show some configurations.

2.4.5.1 Basic port security, 3 MAC addresses, no sticky learning, drop-and-log upon violation, portfast and bpduguard, mac address forgotten after 5 minutes. 

This configuration is almost a "this is your average mileage": it will work okay in many situations.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration]

2.4.5.2 Sticky learning, 2 MAC addresses, drop-and-log upon violation, portfast and bpduguard.

This could be used for a server. The first two mac addresses seen on the port are learnt.

interface gigabitEthernet 0/12
 switchport port-security
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 [rest of the configuration]

2.5 Recommended configurations

2.5.1 Workstation

We consider this machine to be installed at a desk and will never be moved, no phone

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.2 Laptop/meeting room

That machine may be moved between ports.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security aging time 5
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.3 Phone with computer attached

The phone starts in a VLAN and moves to the new one (voice), workstation attached

Note: the phone negotiates its voice vlan using either CDP or LLDP, but this will not be discussed in this document.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport voice vlan YY
 switchport port-security
 switchport port-security maximum 3
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.4 Server / router

This considers that there is not virtual or cluster IP.

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport nonegotiate

2.5.5 Network provider / external party

interface gigabitEthernet 0/12
 switchport mode access
 switchport access vlan XX
 switchport port-security
 spanning-tree portfast
 spanning-tree bpdufilter enable
 switchport nonegotiate