Tải bản đầy đủ - 0 (trang)
Chapter 4. Security Features on Switches

Chapter 4. Security Features on Switches

Tải bản đầy đủ - 0trang

devicesthemselves.

Understandingandpreparingfornetworkthreatsisimportant,

andhardeningLayer2isbecomingimperative.Ciscois

continuouslyraisingthebarforsecurity,andsecurityfeature

availabilityatLayer2isnoexception.Thesectionsthatfollow

highlighttheLayer2securityfeaturesavailableonCisco

Catalystswitches.

Note

Theconfigurationexamplesshowninthischapterare

basedonCiscoIOSSoftwaresyntaxonly(alsoknown

asnativemode).CatalystOperatingSystem(CatOS)

software-basedexamplesarenotcovered.



Chapter4.SecurityFeaturesonSwitches

ThischapterdescribesLayer2securitybasicsandsecurity

featuresonswitchesavailabletocombatnetworksecurity

threats.ThesethreatsresultfromweaknessesinLayer2ofthe

OSImodel—thedata-linklayer.Switchesactasarbitersto

forwardandcontrolallthedataflowingacrossthenetwork.The

currenttrendisfornetworksecuritytobesolidifiedthroughthe

supportofswitchsecurityfeaturesthatbuildfeature-rich,highperformance,andoptimizednetworks.Thechapterexamines

theintegratedsecurityfeaturesavailableonCiscocatalyst

switchestomitigatethreatsthatresultfromtheweaknessesin

Layer2oftheOSImodel.Thechapteralsoprovidesguidelines

andrecommendationsintendedtohelpyouunderstandand

configuretheLayer2securityfeaturesavailableonCisco

switchestobuildrobustnetworks.

AsummaryofLayer2bestpracticesisprovidedtowardtheend

ofthechapter.



SecuringLayer2

WiththerapidgrowthofIPnetworksinthepastyears,highendswitchinghasplayedoneofthemostfundamentaland

essentialrolesinmovingdatareliably,efficiently,andsecurely

acrossnetworks.CiscoCatalystswitchesaretheleaderinthe

switchingmarketandmajorplayersintoday'snetworks.

Thedata-linklayer(Layer2oftheOSImodel)providesthe

functionalandproceduralmeanstotransferdatabetween

networkentitieswithinteroperabilityandinterconnectivityto

otherlayers,butfromasecurityperspective,thedata-linklayer

presentsitsownchallenges.Networksecurityisonlyasstrong

astheweakestlink,andLayer2isnoexception.Applyingfirstclasssecuritymeasurestotheupperlayers(Layers3and

higher)doesnotbenefityournetworkifLayer2is

compromised.Ciscoswitchesofferawiderangeofsecurity

featuresatLayer2toprotectthenetworktrafficflowandthe



devicesthemselves.

Understandingandpreparingfornetworkthreatsisimportant,

andhardeningLayer2isbecomingimperative.Ciscois

continuouslyraisingthebarforsecurity,andsecurityfeature

availabilityatLayer2isnoexception.Thesectionsthatfollow

highlighttheLayer2securityfeaturesavailableonCisco

Catalystswitches.

Note

Theconfigurationexamplesshowninthischapterare

basedonCiscoIOSSoftwaresyntaxonly(alsoknown

asnativemode).CatalystOperatingSystem(CatOS)

software-basedexamplesarenotcovered.



Port-LevelTrafficControls

Port-basedtrafficcontrolfeaturescanbeusedtoprovide

protectionattheportlevel.CatalystswitchesofferStorm

Control,ProtectedPorts,PrivateVirtualLocalAreaNetwork

(PVLAN),PortBlocking,andPortSecurityfeatures.



StormControl

ALANstormtypicallyoccurswhenhostilepacketsareflooded

ontheLANsegment,creatingunnecessaryandexcessivetraffic

resultinginnetworkperformancedegradation.Severalfactors

cancauseastormonanetwork;examplesincludeerrorsinthe

protocol-stackimplementationoraloopholethatisexploitedin

adeviceconfiguration.

TheStormControlfeaturepreventsregularnetworktrafficfrom

beingdisruptedbyabroadcast,multicast,orunicastpacket

stormonanyofthephysicalinterfaces.

Thetrafficstormcontrol(alsoknownasatrafficsuppression

feature)monitorsinboundpacketsovera1-secondintervaland

comparesittotheconfiguredstorm-controlsuppressionlevel

byusingoneofthefollowingmethodstomeasureactivity:

Thepercentageoftotalavailablebandwidthoftheport

allocatedforthebroadcast,multicast,orunicasttraffic

Trafficrateovera1-secondintervalinpacketspersecond

atwhichbroadcast,multicast,orunicastpacketsare

receivedonaninterface

Witheithermethod,theportblockstrafficwhenathresholdis

reached,filteringoutallsubsequentpackets.Astheport

remainsinablockedstate,thetrafficcontinuestobedropped

untilthetrafficratedropsbelowthesuppressionlevel,atwhich

pointtheportresumesnormaltrafficforwarding.

Toenablethetrafficstorm-controlfeature,usethestorm-



control{broadcast|multicast|unicast}commandfrom

theglobalconfigurationmode.Bydefault,storm-controlis

disabled.

Thestorm-controlaction{shutdown|trap}commandis

usedtospecifytheactiontobetakenwhenastormisdetected.

Bydefault,thestormtrafficissuppressedwhennoactionis

configured.

Toverifythestorm-controlsuppressionlevelsconfiguredonan

interface,usetheshowstorm-control[interface]

[broadcast|multicast|unicast]command.



ProtectedPorts(PVLANEdge)

Insomenetworkenvironments,thereisarequirementforno

traffictobeseenorforwardedbetweenhost(s)onthesame

LANsegment,therebypreventinginterhostcommunications.

ThePVLANedgefeatureprovisionsthisisolationbycreatinga

firewall-likebarrier,therebyblockinganyunicast,broadcast,or

multicasttrafficamongtheprotectedportsontheswitch.Note

thatthesignificanceoftheprotectedportfeatureislimitedto

thelocalswitch,andthereisnoprovisioninthePVLANedge

featuretoisolatetrafficbetweentwo"protected"portslocated

ondifferentswitches.Forthispurpose,thePVLANfeaturecan

beused.(Thisfeatureisdiscussedinmoredetaillaterinthis

chapter.)

ThePVLANedgeoffersthefollowingfeatures:

Theswitchwillnotforwardtraffic(unicast,multicast,or

broadcast)betweenportsthatareconfiguredasprotected.

DatatrafficmustberoutedviaaLayer3devicebetween

theprotectedports.

Controltraffic,suchasroutingprotocolupdates,isan

exceptionandwillbeforwardedbetweenprotectedports.

Forwardingbehaviorbetweenaprotectedportanda

nonprotectedportproceedsnormallyperdefaultbehavior.



Bydefault,noportsareconfiguredasprotected.Example4-1

showshowtoenableandverifyswitchportsthatareconfigured

fortheprotectedportfeature.

Example4-1.ConfiguringtheProtectedPortFeature

Switch(config)#interfaceFastethernet0/1

Switch(config-if)#switchportprotected

Switch(config-if)#end

Switch#showinterfacesFastEthernet0/1switchport

Name:Fa0/1

Switchport:Enabled

AdministrativeMode:staticaccess

...

Protected:true



PrivateVLAN(PVLAN)

Asdiscussedinthe"ProtectedPorts(PVLANEdge")section,the

PVLANfeaturepreventsinterhostcommunicationsproviding

port-basedsecurityamongadjacentportswithinaVLANacross

oneormoreswitches.PVLANprovidesLayer2isolationto

quarantinehostsfromoneanotheramongportswithinthe

samePVLAN.

AccessportsinaPVLANareallowedtocommunicateonlywith

thecertaindesignatedrouterports.Inmostcases,thisisthe

defaultgatewayIPaddress.PrivateVLANsandnormalVLANs

cancoexistonthesameswitch.ThePVLANfeatureallows

segregatingtrafficatLayer2,therebytransformingabroadcast

segmentintoanonbroadcastmulti-access-likesegment.To

preventinterhostandinterservercommunication,PVLANcanbe

usedefficientlybecausethenumberofsubnetsorVLANsis

greatlyreduced,althoughthesegmentedapproachwithina

singlenetworksegmentisstillachieved.Thenumberisreduced

becausethereisnoneedtocreateextrasubnet/VLANs.

Note

ThePVLANfeatureisnotavailableonallCiscoswitches.

RefertoTable4-1foralistofsupportedplatforms.

Table4-1.VLANSupportonCatalystSwitches

Platform



Software

Version



Isolated PVLAN

Community

VLAN

Edge

VLAN

(Protected

Port)



Catalyst8500



NotSupported —











Catalyst

6500/6000—

CatOSon

Supervisorand

CiscoIOSon



5.4(1)on

Yes

Supervisor

and

12.0(7)XE1on

MSFC



N/A



Yes



MSFC

Catalyst

6500/6000—

CiscoIOS

System

software



12.1(8a)EX,

12.1(11b)E1



Catalyst

5500/5000



Yes



N/A



Yes



NotSupported —











Catalyst

4500/4000—

CatOS



6.2(1)



Yes



N/A



Yes



Catalyst

4500/4000—

CiscoIOS



12.1(8a)EW



Yes



N/A



12.2(20)EW



Catalyst3750



12.2(20)SE—

EMI



Yes



12.1(11)AX



Yes



Catalyst3750

Metro



12.1(14)AX



No



Yes



No



Catalyst3560



12.2(20)SE—

EMI



Yes



12.1(19)EA1 Yes



Catalyst3550



12.1(4)EA1



No



Yes



Not

Currently

Supported



Catalyst2970



12.1(11)AX



No



Yes



No



Catalyst2955



12.1(6)EA2



No



Yes



No



Catalyst2950



12.0(5.2)WC1, No

12.1(4)EA1



Yes



Not

Currently

Supported



Catalyst

12.0(5)XU(on No

2900XL/3500XL 8MBswitches



Yes



No



only)

Catalyst

2948G-L3/

4908G-L3



NotSupported —











Catalyst

2948G/2980G



6.2



Yes



N/A



Yes



Catalyst2940



12.1(13)AY



No



Yes



No



Catalyst1900



NotSupported —











ThelistthatfollowsdescribesthreetypesofPVLANports,as

showninFigure4-1a:

Promiscuous:Apromiscuousportcancommunicatewith

allinterfaces,includingtheisolatedandcommunityports

withinaPVLAN.Thefunctionofthepromiscuousportisto

movetrafficbetweenportsincommunityorisolatedVLANs.

Itcanuseaccessliststoidentifywhichtrafficcanpass

betweentheseVLANs.Onlyonepromiscuousportisallowed

persinglePVLAN,anditservesallthecommunityand

isolatedVLANsinthePrivateVLAN.

Isolated:AnisolatedPVLANporthascompleteLayer2

segregationfromalltheotherportswithinthesamePVLAN,

butnotfromthepromiscuousports.Trafficfromthe

isolatedportisforwardedonlytothepromiscuousportsand

noneother.

Community:Communityportsarelogicallycombined

groupsofportsinacommoncommunityandcanpass

trafficamongthemselvesandwithpromiscuousports.Ports

areseparatedatLayer2fromallotherinterfacesinother

communitiesorisolatedportswithintheirPVLAN.



Figure4-1a.PVLANComponents



Itispossibleforisolatedandcommunityporttraffictoenteror

leavetheswitchthroughatrunkinterfacebecausetrunks

supportVLANscarryingtrafficamongisolated,community,and

promiscuousports.Hence,PVLANportsareassociatedwitha

separatesetofVLANsthatareusedtocreatethePVLAN

structure.APVLANusesVLANsinfollowingthreeways:

AsaprimaryVLAN:Carriestrafficfromapromiscuous

porttoisolated,community,andotherpromiscuousportsin

thesameprimaryVLAN.

AsanisolatedVLAN:Carriestrafficfromisolatedportsto

apromiscuousport.PortsintheisolatedVLANcannot

communicateatLayer2withanyotherportwithinthe

PrivateVLAN(eitheranothercommunityVLANportora

portinthesameisolatedVLAN).Tocommunicatewithother

ports,itmustgothroughthepromiscuousport.

AsacommunityVLAN:Carriestrafficbetweencommunity

portswithinthesamecommunityVLANandtopromiscuous

ports.PortsinthecommunityVLANcancommunicateat



Layer2witheachother(onlywithinthesamecommunity

VLAN)butcannotcommunicatewithportsinother

communityorisolatedVLANs.Tocommunicatewithother

ports,theymustgothroughthepromiscuousport.Multiple

communityVLANscanbeconfiguredinaPVLAN.

Figure4-1adepictsthebasicPVLANcomponentsandthe

differenttypesofPVLANports.

TheisolatedandcommunityVLANsarealsocalledsecondary

VLANs.PVLANscanbeextendedacrossmultipledevicesby

trunkingtheprimary,isolated,andcommunityVLANstoother

devicesthatsupportPVLANs.

Insummary,aPrivateVLANcontainsthreeelements:the

PrivateVLANitself,thesecondaryVLANs(knownasthe

communityVLANandisolatedVLAN),andthepromiscuous

port.

Figure4-1bsummarizesthePVLANcomponentsandtrafficflow

policiesamongthePVLANports.

Figure4-1b.PVLANTrafficFlowPolicies

[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 4. Security Features on Switches

Tải bản đầy đủ ngay(0 tr)

×