Campus Network Design Fundamentals

In the past few years, switches have become equipped with features that make them more intelligent, allowing them to provide an active role in network security.

Cisco documentation refers to Catalyst integrated security (CIS). However, the term CIS refers only to built-in functionality that is native to the Catalyst switches, not to the security features inherent in the modules that can be installed in the switches (for example, firewall blades and so forth). Thus, in this book, we have categorized these two types of switch security as follows:

  • Catalyst native security Those features built into the switch itself

  • Catalyst hardware security Features of hardware that can be installed in the switch

These categories are described in the following sections.

Note

Refer to Chapter 4, "Network Security Design," for general information on network security.

Catalyst Native Security

Cisco switches have many native attributes that can be used to secure a network.

Some attributes are related to the secure management of the switch itself. One example is the use of secure shell (SSH), rather than Telnet, when remotely managing the switch. Another example is disabling unused switch ports so that the network cannot be accessed through them.

Secure Shell

SSH is a protocol that is similar to Telnet, but SSH uses encryption for security. SSH usually uses TCP port 22.

Catalyst native security can protect networks against serious threats originating from the exploitation of MAC address vulnerabilities, ARP vulnerabilities, and Dynamic Host Configuration Protocol (DHCP) vulnerabilities. (Both ARP and DHCP are covered in Appendix B.) Table 2-1 shows some examples of the protection provided by the built-in intelligence in Catalyst switches.

Table 2-1. Examples of Built-In Intelligence to Mitigate Attacks

Attack

Native Security (Built-In Intelligence) to Mitigate Attacks

DHCP Denial of Service (DoS)

A DHCP DoS attack can be initiated by a hacker. As well as taking down the DHCP server, the attack could also be initiated from a server that is pretending to be a legitimate DHCP server. This rogue server replies to DHCP requests with phony DHCP information.

Trusted-State Port

The switch port to which the DHCP server is attached can be set to a "trusted" state. Only trusted ports are allowed to pass DHCP replies. Untrusted ports are only allowed to pass DHCP requests.

MAC Flooding

A hacker targets the switch's MAC address table, to flood it with many addresses.

MAC Port Security

The switch can be configured with a maximum number of MAC addresses per port.

The switch can also be configured with static MAC addresses that identify the specific addresses that it should allow, further constraining the devices allowed to attach to the network.

Redirected Attack

A hacker wanting to cover his tracks and complicate the network forensics investigation might decide to compromise an intermediary target first. The hacker would then unleash his attack to the intended target from that intermediary victim.

Private VLAN (PVLAN)

The flow of traffic can be directed by using PVLANs. In the example shown in Figure 2-11, a PVLAN is defined so that traffic received on either switch port 2 or 3 can exit only by switch port 1. Should a hacker compromise server A, he would not be able to directly attack server B because the traffic can only flow between port 1 and port 2, and between port 1 and port 3. Traffic is not allowed to flow between port 2 and port 3.

Figure 2-11. Using a Switch to Create a PVLAN

Catalyst Hardware Security

Cisco switches can provide security, flexibility, and expandability to networks. As an example, the Catalyst 6500 Series switches can be equipped with modules that are full-fledged security devices themselves. Some example security modules are as follows:

  • Cisco Firewall service module

  • Cisco Internet Protocol security (IPsec) virtual private network (VPN) service module

  • Cisco Intrusion Detection System (IDS)

  • Cisco Secure Socket Layer (SSL)

Note

Refer to Chapter 4 for information on IPsec, VPNs, IDSs, and SSLs.

As an example of the flexibility provided by these modules, consider that when using a Cisco Firewall service module, any port on a Catalyst 6500 switch can operate as a firewall. An example of the expandability of the modules is the use of the IPsec VPN module. This module can terminate up to 8000 VPN connections (known as VPN tunnels) simultaneously and can create 60 new tunnels per second; up to 10 of these modules can be installed in a Catalyst 6500 switch.

Категории