Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

!

Network Security

!

!

Topology

Introduction

The area i want to focus on is network related security, or more specifically to what extent can we secure a network given the equipment we have. I want to research about what different security issues and measures are common, configure the network equipment in a secure manner and try to find a way to test all of the security related configuration that will be used. The questions i want answered is what can be done when the security requirements for a network is very high, do the steps taken really work, how can they be tested and what are the potential pitfalls when securing a network.

!

The scenario i want to work on is a small network with one router and one switch that i want to lock down as hard as i can without rendering it completely unusable. On the network i will have one RADIUS server, one DHCP server, one client (expected to be there, behaves fine), one more client (expected to be there, behaves badly and can’t be trusted) and one client that shouldn’t be there at all but it wants to get in. I want to try things like port security, 802.1X, IP source guard, dynamic ARP inspection and DHCP spoofing prevention. Simply everything i can think of that could improve the security of the network.

!

Almost all of the different tests i want to do will be performed on a virtual machine running Ubuntu Desktop. For example after enabling IP source guard and dynamic ARP inspection i will try to create traffic that under normal circumstances could fool other hosts on the network and see what happens. For every security feature i am going to try out i will follow these steps:

!

1. Do some tests before anything is configured to see how things work under normal circumstances.

2. Configure the security features on the network devices (either on the router or the switch). 3. Do tests to see if the enabled security features works as one would expect them to or not. 4. See what happens when a successful test of a security feature is performed, what are the

consequences of triggering the newly enabled restriction(s).

!

quite work as expected and how is it possible to create specific network traffic (for example traffic that contains a different source IP address or answer ARP requests with fake ARP replies).

Tests

There are several tests i want to perform and because they are all unrelated to each other i have one section for each subject. All of the sections contains tests performed before, detailed configuration of a feature and the results of tests performed afterwards (end results).

Port Security

The first thing i want to try out is putting limits on which machines can be used to access specific ports on the switch. By using what is called as port security i can configure a specific interface on the switch to only accept access to a machine with a specific MAC hardware address, if the switch encounters traffic on the port that has a different MAC hardware address specified as source then the switch will immediately notice it and an action is triggered [1]. In this scenario we want high security and therefor we configure the switch to completely shutdown an interface when the security feature is triggered.

Tests Before

Under normal circumstances there are no restrictions on what MAC hardware address can be used on different interfaces. Most of the time it is simple not something you want to have enabled. Because of this there is not much to test except using different machines (or change the MAC hardware address on just one machine through software) on one port just to make sure that it really does work no matter what.

Configuration

interface FastEthernet0/1 switchport port-security

switchport port-security mac-address 9c4e.2067.fe90 switchport port-security violation shutdown

!

interface FastEthernet0/13 switchport port-security

switchport port-security mac-address 000c.292a.4415 switchport port-security violation shutdown

!

switchport port-security

switchport port-security mac-address 000c.29f3.0559 switchport port-security violation shutdown

!

The command “switchport security” enables the port security feature, “switchport port-security mac-address <MAC>” specifies which MAC hardware address is allowed on the interface and “switchport port-security violation shutdown” specifies that when another MAC hardware address is encountered on the port then the interface should immediately be disabled.

Tests After

To make sure that the port security feature really does work as expected i plugged in one client on the interface fa0/13 that has a MAC hardware address that is allowed and another client on the interface fa0/14 that has a MAC hardware address that is not allowed. The client on interface fa0/13 can use the network as one would expect but the client on interface fa0/14 cannot. The interface fa0/14 has immediately been disabled and marked as “Errdisable” which means that the only way for that port to start working again is if you manually turn the interface on and off on the switch by running “shutdown” and “no shutdown” on it.

DHCP snooping

In this specific network scenario there exist one legitimate DHCP server that all of the clients on the network can use the get IP address configuration. Under normal circumstances any machine on a network can act as a DHCP server which can create potential problems. If a malicious user on the network starts a DHCP server then the other clients can start using it and get IP address configuration that is not correct. A malicious user can for example send out IP address

configuration that does not work at all or even worse send out working IP address configuration that says that the malicious user’s machine is the gateway for the network [2]. We want all DHCP replies that comes from untrusted ports to be dropped by the switch.

Tests Before

Before enabling the DHCP snooping feature on the switch i made sure that the legitimate DHCP server was up and running and could be used by all of the clients on the network.

Configuration

ip dhcp snooping

no ip dhcp snooping information option !

interface FastEthernet0/1 switchport mode access switchport access vlan 10 ip dhcp snooping trust !

interface FastEthernet0/2 switchport mode access switchport access vlan 10 !

interface FastEthernet0/13 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 !

interface FastEthernet0/14 switchport mode access switchport access vlan 10 ip dhcp snooping limit rate 3 !

The command “ip dhcp snooping” turns on the feature, “ip dhcp snooping vlan 10” specifies the VLAN that should be protected, “no ip dhcp snooping information option” prevents the switch from manipulating DHCP packets that makes the legitimate DHCP service stop working, “ip dhcp snooping trust” specifies on which port the legitimate DHCP server is located and “ip dhcp snooping limit rate 3” specifies a limit for how many DHCP requests are allowed on a port under a specific time (prevents flooding).

Tests After

We got one legitimate DHCP server connected to the interface fa0/1 that is supposed to work and to make sure it still does we can run “sudo dhclient eth0” on one of the clients connected to interface fa0/13 or fa0/14. After we have made sure the service still works on a trusted port we can move the host that is connected to port fa0/1 to the untrusted port fa0/2 and run “dhclient” once more on the client to see what happens. It will no longer work because the switch will silently drop the DHCP packets coming from the untrusted port.

IP Source Guard

To prevent hosts on the network from lying about the IP source address that is put inside of network packets we can make use of the DHCP snooping database that we conveniently already have on the switch (it contains the MAC hardware address and IP address of hosts connected to different ports). This security feature knows what IP address is supposed to be inside of packets coming in from all of the different ports. [3]

Tests Before

To try out a network connection and at the same time also fake the IP source address we can use a program called “hping3” on one of the clients. With “hping3” we can very easily ping another host and at the same time lie about the IP source address. To do both things all we need to do is run the command “hping3 -a 10.0.0.123 10.0.0.1” and see what happens (10.0.0.123 is a fake IP address and 10.0.0.1 is the DHCP server). The communication works just fine.

Configuration

interface FastEthernet0/1

ip verify source port-security !

interface FastEthernet0/13

ip verify source port-security !

interface FastEthernet0/14

ip verify source port-security !

ip source binding 9C3E.2067.FE90 vlan 10 10.0.0.1 fa0/1 !

The command “ip source binding 9C3E.2067.FE90 vlan 10 10.0.0.1 fa0/1” creates a static entry for the gateway (DHCP server) because it does not exist in the DHCP snooping database, “ip verify source port-security” enable the feature.

Tests After

Dynamic ARP Inspection

When a host on a network wants to find out the MAC hardware address of another host with a specific IP address it asks everyone on the network and everyone can answer the question. The host who answers the question first might be a malicious user with bad intentions. For example if a new host arrives to the network and asks for the MAC hardware address of the host with IP address 10.0.0.1 (our gateway) another host (for example 10.0.0.20) might answer the question and from now on the new host will think that the host who has the IP address 10.0.0.20 is the gateway even though it is not. This is a typical man-in-the-middle attack [4].

Tests Before

To test this we need to try and send out fake ARP replies and see if we can trick another host to believe we are someone else on the network. We can use a program called “arpspoof” to

continuously to flood our network with ARP replies. First we run the command “arpspoof -i eth0 -t 10.0.0.10 10.0.0.200” (we target host 10.0.0.10 and tell it we are 10.0.0.200) on the host with IP address 10.0.0.20 and on the host with IP address 10.0.0.10 we simple run the command “traceroute 10.0.0.200” to see how traffic travels to the IP address 10.0.0.200. From the results we can see that the host 10.0.0.10 (our target) believes that the attacker 10.0.0.20 is indeed the host that have the IP address 10.0.0.200.

Configuration

ip arp inspection vlan 10

ip arp inspection validate src-mac dst-mac ip

The command “ip arp inspection vlan 10” enables the dynamic ARP inspection on VLAN 10, “ip arp inspection validate src-mac dst-mac ip” makes the function check the source and destination MAC hardware address and the IP address to make sure everything looks legitimate.

Tests After

Reflection

When i started working on this project i wanted to do more than what i ended up eventually doing. I had plans that was a little bit too big, time was running out and the essay was supposed to be quite short which i noticed early on mine would not be. In the introduction i talk about things like RADIUS and about common security problems etc which i ended up skipping. I leave the introduction and topology intact so the reader at least can understand what i wanted to do and what i wanted to achieve. At least most of the projects goals was met.

The port security feature works but it is in reality little more than security by obscurity. A user that wants to gain access to the network can under certain circumstances easily find out what MAC hardware address works on different ports. Lets say that we got two stationary

workstations connected to the ports fa0/13 and fa0/14, the malicious user could just unplug one of them and listen to the traffic that it sends out to find out what MAC hardware address the workstations has and later on use the same one on another computer. Port authentication with 802.1X and RADIUS could be used as a solution to this weakness.

The DHCP snooping feature was the only one i had any real problems with. Turning it on was not a problem but making the legitimate DHCP server work was a big problem. It was not working quite as one would expect it to, saying that a port was to be trusted was not enough for the legitimate DHCP server to work again. After a lot of wasted hours i fixed the problem with the command “no ip dhcp snooping information option”, without it the switch will add

information in the option field inside of the DHCP header when it encounters DHCP packets and that creates problems for some reason which i do not fully understand.

The IP source guard feature worked like a charm. Thanks to the already existing DHCP snooping database little configuration is needed and it will continue to work in a dynamic fashion. I did have to add information about one host but that was only because the host is the same one that is running the DHCP server and it will therefor never use it which in turn makes it not end up in the dynamic DHCP snooping database. The host will simply not ask itself for IP network

configuration settings and even if it did that information would not cross the switch and it would continue to be unaware of it no matter what.

!

References

[1] D. Huckaby, "Securing Switch Access" in CCNP Switch 642-813: Official Certification Guide, Indianapolis: Cisco Press, 2011, pp. 373-376.

[2] D. Huckaby, “Securing Switch Access" in CCNP Switch 642-813: Official Certification Guide, Indianapolis: Cisco Press, 2011, pp. 379-381.

[3] D. Huckaby, “Securing Switch Access" in CCNP Switch 642-813: Official Certification Guide, Indianapolis: Cisco Press, 2011, pp. 381-383.