Network Foundation Protection Controls

I. INFRASTRUCTURE THREATS AND CONTROLS

a. Device Attacks
i. Session spoofing and hijacking (man in the middle attack, DHCP spoofing)
ii. Capturing authentication credentials
iii. Exploiting defects and configuration errors: not configuring root guard, bpdu
guards, not using SSH for access to devices
iv. Installing rootkits and malware
v. Impersonation (Trust exploit)
b. Network Infrastructure Threats
i. Traffic Capture
ii. Traffic Injection
iii. Denial of service
II. NETWORK FUNCTIONALITY PLANES
i. Data plane
1. This majority of network traffic (service provider or end users). This is
traffic generated by your users. Destination address of the data plane is
always a host and not a router.
ii. Control Plane
1. This is associated with the routing processes (includes all network
protocols). This is mainly communication between routers. The control
plane always includes received packets.
iii. Management Plane
1. It is used to access, monitor and manage network objects. It always uses
received packets (SSH, TFTP, SNMP, Syslog)
iv. Services Plane
1. This basically customer traffic that is dedicated to network based
services. For example tunneling through a router. This is allowing MPLS,
and VPN traffic to traverse the router.
III. NFP DEPLOYMENT MODEL
A. CORE
I. THIS IS WHERE YOU WILL HAVE YOUR FAST PIPE. THIS IS WHERE YOU HARDEN YOUR MULTILAYER
SWITCHES.
b. Distribution
i. More policies are applied at this layer. Authentication of routing protocols and
filtering takes place at this layer as well. MPF C3Pl, anti-spoofing all take place
here.
c. Access Layer
 i. At this layer, we would implement Vlans, 802.1x, STP/VTP, Access control list,
intrusion prevention and so on.
IV. NFP CONTROL AVAILABILITY
a. Small to Medium Business size d model
i. 802.1x, Vlans, ST, VTP, ACL, IDS, IPS Q0s are all part of this model.

Private Vlans and PVLAN Edge

I. LAYER 2 ATTACKS AND COUNTERMEASURES

a. IP Spoofing
i. The cracker would use fake IP to hide his real IP. To mitigate this attack, we’d
use IP source guard or port based access control list.
b. STP Spoofing
i. The cracker would try to negatively influence the operation of STP by sending
the traffic to nowhere. Use BPDU guard and Root guard to mitigate this attack.
c. MAC Spoofing
i. User tries to steal host identity and black hole the traffic. They use tool like
MACOF to poison the MAC table. Port security and static CAM table entries, but
it is not scalable, to mitigate this threat You can find some of these tools at
www.insecure.com
d. DHCP Spoofing
i. The attacker possess as a legitimate DHCP server. They can redirect clients’
traffic to themselves whereby they can intercept and disrupt the network traffic.
To mitigate this threat use DHCP Snooping.
e. ARP Spoofing
i. When a cracker tries to redirect network traffic to themselves and whereby
intercepting normal flow of traffic. They can even spoof host identities with this
attack. We can use the Cisco IOS software ARP inspection feature to mitigate
this threat.
f. VLAN Hopping
i. The cracker tries to inject frames permitting them to access VLANS that really
should not be assessable on a particular port. They are taking advantage of DTP
that may be misconfigured. To mitigate this, hardcode access ports, avoid
trunking native VLAN on access ports, disable automatic DTP Trunking.
g. CAM Floods
i. The cracker tries to overflow the CAM table and then basically turn it into hub
whereby he will be able to sniff all network traffic. To mitigate this threat, limit
the number of MAC addresses per access port.
h. DHCP Starvation
 i. The cracker tries to use up all available IP addresses on the DHCP server
whereby legitimate clients would not be able to get any IP address from the
DHCP server. To mitigate this threat, limit the number of MAC address on a port
by port basis, Use DHCP rate limiting.
II. PRIVATE VLANS EXPLAINED

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 2 instead
of Layer 3. As you know, a VLAN is a broadcast domain; by using PVLAN we are splitting that domain
into some smaller broadcast domains. For example, without PVLAN, a service provider wants to
increase security by isolating customers into separate domains so that they can’t access each other,
they have to assign them into different VLANs and use different subnets. This can result in a waste of
IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by
allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLANs
inside VLAN”.

There are three types of ports in PVLAN:

* Isolated: only communicate with promiscuous ports. Notice that it cannot even communicate with
another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.
* Promiscuous: can communicate with all other ports. The default gateway is usually connected to
this port so that all devices in PVLAN can go outside.
* Community: can communicate with other members of that community and promiscuous ports but
cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

For example, in the topology above:

+ Host A cannot communicate with Host B, C, D, E and F. It can only communicate with Promiscuous
port to the router. Notice that even two Isolated ports in the same VLAN cannot communicate with
each other.

+ Host C can communicate with Host D because they are in the same community but Host
C cannot communicate with E and F because they are in a different community.

+ All hosts can go outside through promiscuous port.

Also I want to mention about the concept of “primary VLAN” and “secondary VLAN”. PVLAN can have
only one primary VLAN; all VLANs in a PVLAN domain share the same primary VLAN. Secondary VLANs
are isolated or community VLANs.

Configuration of PVLAN:

1. Set VTP mode to transparent

2. Create secondary (isolated and community) VLANs and primary VLAN
3. Associate secondary VLANs to the primary VLAN
4. Configure interfaces as promiscuous interfaces
5. Configure interfaces to be isolated or community interfaces.

Sample configuration used the topology above:

//First set VTP to transparent mode

Switch(config)#vtp mode transparent

//Create secondary VLANs

Switch(config)#vlan 101
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#vlan 102 
Switch(config-vlan)#private-vlan community
Switch(config-vlan)#vlan 103 
Switch(config-vlan)#private-vlan community

//Create primary VLAN

Switch(config-vlan)#vlan 100
Switch(config-vlan)#private-vlan primary

//Associate secondary (isolated, community) VLANs to the primary VLAN

Switch(config-vlan)#private-vlan association 101,102,103

//Assign Promiscuous port to the port connected to the router, with the primary VLAN mapped to the
secondary VLAN.
Switch(config)# interface f0/1 
Switch(config-if)# switchport mode private-vlan promiscuous 
Switch(config-if)# switchport private-vlan mapping 100 101,102,103

//Ports connected to hosts A, B, C, D, E, F are configured in host mode and assign to appropriate
VLANs (A and B to isolated VLAN 101; C and D to community VLAN 102; E and F to community VLAN
103):
Switch(config)# interface range f0/2 – 0/3 //connect to host A and B
Switch(config-if)# switchport mode private-vlan host 
Switch(config-if)# switchport private-vlan host-association 100 101

Switch(config-if)# interface range f0/3 -0/4 //connect to host C and D

Switch(config-if)# switchport mode private-vlan host 
Switch(config-if)# switchport private-vlan host-association 100 102

Switch(config-if)# interface f0/5 – 0/6 //connect to host E and F

Switch(config-if)# switchport mode private-vlan host 
Switch(config-if)# switchport private-vlan host-association 100 103

To check the configuration, use this command:

Switch# show vlan private-vlan

1. Before you start make sure the vtp mode is set to transparent.
2. The difference between private vlan and protected port is protected port is localized
within the switch itself, but private vlan can propagate among switches.
3. Private Vlan consists of primary vlan and secondary vlan.
4. There are two types of secondary vlans namely isolated and community.
5. Hosts within the same community vlan can communicate with one another. Host
within the community vlan cannot communicate with hosts from a different community
and hosts from isolated vlan.
6. Hosts within isolated vlan cannot communicate among themselves.
7. Promiscuous port is the port that can access community and isolated ports.
8. Community and isolated vlans do not have an instance for spanning-tree.
Step by Step
Step 1:Change vtp mode to transparent.
3560-2(config)#vtp mode transparent
Step1.1:Define your vlans.

3560-2(config)#vlan 99
3560-2(config-vlan)#name pri-vlan
3560-2(config)#vlan 100
3560-2(config-vlan)#name comm-vlan
3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#name isolated-vlan
Step 2:Define your secondary vlans.

3560-2(config-vlan)#vlan 100
3560-2(config-vlan)#private-vlan community
3560-2(config-vlan)#vlan 200
3560-2(config-vlan)#private-vlan isolated
Step 3:Define your primary vlan and associate secondary vlans into this.
3560-2(config-vlan)#vlan 99
3560-2(config-vlan)#private-vlan primary
3560-2(config-vlan)#private-vlan association 100,200
Step 4:Define your port roles based on the above diagram.

3560-2(config)#int fa0/1
3560-2(config-if)#switchport mode private-vlan promiscuous
3560-2(config-if)#switchport private-vlan mapping 99 100,200
3560-2(config)#int range fa0/10 – 11
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 100
3560-2(config)#int range fa0/20 – 21
3560-2(config-if-range)#switchport mode private-vlan host
3560-2(config-if-range)#switchport private-vlan host-association 99 200
Check the vlan roles.
3560-2#sh vlan private-vlan
Primary Secondary Type              Ports
——- ——— —————– ——————————————
99      100       community         Fa0/1, Fa0/10, Fa0/11
99      200       isolated          Fa0/1, Fa0/20, Fa0/21

III. PVLAN EDGE

a. This is what we call Private Vlan Lite. For example some switches do not support PVLAN.
So what you can do is create a protected port on the switch that does not support
Private Vlan. Protected port does not forward traffic to other protected port. So if you
have two servers within the same VLAN, but are both connected to protected ports,
they will not be able to forward traffic to each other. This method is only local to the
switch. Here is how you would configure that.
b.
c.
Additional Switched Data Plane Controls

I. DHCP SERVER SNOOPING

a. All access ports should be configured as untrusted and all of the inter-switch ports
should be configured as trusted. Also all of the ports pointing toward the DHCP server
should be configured as trusted.
b. Enable DHCP snooping globally on the switch. We can also implement DHCP rate
limiting.

DHCP Snooping Violation Messages

II. CONFIGURING IP DHCP SNOOPING AND DYNAMIC ARP INSPECTION TO MITIGATE AGAINST ARP SPOOFING
ATTACKS
A. DHCP snooping is a DHCP security feature that provides network security by filtering
untrusted DHCP messages and by building and maintaining a DHCP
snooping binding database, also referred to as a DHCP snooping binding
table.
B.  For DHCP snooping to function properly, all DHCP servers must be
connected to the switch through trusted interfaces.
c. The switch drops a DHCP packet when one of these situations occurs: A packet from a
DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet,
 is received from outside the network or firewall A packet is received on an untrusted
interface, and the source MAC address and the DHCP client hardware address do not
match The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has
a MAC address in the DHCP snooping binding database, but the interface information in
the binding database does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that
is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information
to an untrusted port.
d. Dynamic ARP inspection determines the validity of an ARP packet based on
valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping
binding database. This database is built by DHCP snooping if DHCP snooping is enabled
on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the
switch forwards the packet without any checks. On untrusted interfaces, the switch
forwards the packet only if it is valid.
e. You enable dynamic ARP inspection on a per-VLAN basis by using the IP
ARP inspection vlan vlan-range global configuration command
f. Address Resolution Protocol (ARP) poisoning is a type of attack where
the Media Access Control (MAC) address is changed by the attacker.  Also,
called an ARP spoofing attacks, it is effective against both wired and
wireless local networks.  Some of the things an attacker could perform from
ARP poisoning attacks include stealing data from the compromised
computers, eavesdrop using man-in-the middle methods, and prevent
legitimate access to services, such as Internet service.

Scenario:
g. User A will contact DLS1 (172.16.1.1) to obtain an IP address via DHCP.  This will create
an entry in the DHCP binding table on DLS1.  “Attacker” will be on same vlan 1 as User A
and will attempt to spoof an invalid mac address using Cain & Abel software. This will
send out a gratuitous ARP, updating the ARP entry for 172.16.1.1 on User A and on DLS1
for IP 172.16.1.2.  User A will send packets to attacker thinking it is sending to default
gateway. This is called a “man-in-the-middle” attack