(Very) Basic Network - security guidelines
Every security expert will tell you that all devices in any network must be secured – even the most Negligible parts.
This also applies to your Layer 2 network. For those who aren’t familiar with the OSI model, Layer 2 (or in its other name: The Data Link layer) is the second Layer of the OSI model (It has total of seven layers) and it is a protocol layer that represents a stack of protocol that are used to for communication between devices over a physical medium).
I think that securing you Layer 2 network is almost as important as securing your internet\WAN connections or your routers, because Layer2 devices are usually used for the access layer of the network – the first device that the frame encounter with on their trip to the destinations. The right strategy of the security model should be to try and stop malicious traffic or attacks early in the Layer 2 devices.
You probably figured it out that when I say “Layer2 devices” or “Layer2 network” – I mean “Switches”. This is correct. Securing your switches is very important because nowadays – switches are more powerful than routers because they can support multilayered models of traffic and have higher potential to create a catastrophe in your network.
VTP\Automation of configuration
Every Network administrator knows about VTP, the VLAN Transport protocol. This protocol is enabled by default on Cisco switches and “helps” network administrator to keep a synchronized switch network easily. VTP has three states of mode: Server, Client and Transparent. Server switch publish individually frames with all the VLAN configuration of the switch. Other switches (Server and Client) accept these frames and use the information to build VLAN table, change their configuration and re-send the frames through all their ports\interfaces. The Transport mode of operation is the passive one – it’s just forwards the frames to the rest of the switches.
It looks like a good solution but the only major fault with this protocol, or any other configuration automation protocol, is the security risks you take when you don’t disable it.
You might say that VTP takes some security measures – it has a password protection. This is correct – it does have password protection in VTP – every switch in your network has to be configured in the same password (and same domain name) so the VTP could word correctly. If a switch accepts a VTP frame with wrong password it will ignore it and won’t forward it. You will read in the following paragraphs why this password is no protection at all.
VTP frames are Layer2-multicasted over your switch-network without you even knowing about it – and all your users have the option to capture these frames and parse them (using any kind of free sniffer application from the Internet, like Ethereal or Wireshark). Using these captured frames anyone can see all the details of VTP: Domain name, password, revision number (just a simple update numbering mechanism) and real configuration data of the VLANs.
This is why nothing is really secured or protected when using VTP. Anyone can see the VTP details and can create its own frames of VTP to command the other switches to change their VLAN configuration. Needless to say that this isn’t what you expect of VTP.
Even if none of your employees or users plan a super-evil VTP attack, you can create a massive catastrophe by mistake on your own – just accidently misconfigure something and all you network can fall apart with major downtime.
For a conclusion, configure your switch as a “Transparent” Switch to avoid VTP. Do the same for any other protocol that is openly free for capture and has no authentication, authorization and very fragile.
Interfaces\Ports are very important to secure. We suggest hardening the mode of operation for every interface\port in your devices. Ports usually can be “Access” port or “Trunk” port. The difference is that an “Access” port is mapped to one single VLAN (Virtual LAN) while a “Trunk” port is mapped to several VLANs (802.1Q). Configure the mode of operation for every port on the devices and don’t use any dynamic negotiation protocols such as DTP. DTP stands for Dynamic Trunking Protocol (Cisco proprietary) and is used to negotiating mode of operation between two devices. A Hacker can use this to get a trunk interface (when it should be access) – when using trunk interface you have Layer 2 access to all VLANs in the network and not just the one you suppose to have in Access mode. The command to disable DTP for an interface\port is “switch nonegotiate”. Use is for every port on the switch.
If you switch provides some extra security features like Cisco’s Port-security – use it! Cisco has the sticky-mac feature and mac limitation which are very useful in big corporations. Use the maximum potential of your switch to gain maximum security for your network.
Spanning-tree hardening and security
Spanning tree protocol is one famous Layer 2 protocol. In fact, spanning tree is an algorithm for loop breaking and avoiding broadcast storms (When one broadcast Ethernet frame is sent and the switches keep flooding this one frame over and over in the network because somewhere there is “loop” between switches – thus, there is no reason for this frame to stop flooding the network). The Spanning-tree stack of protocols include: Standard spanning tree (802.1d), PVST\PVST+, RSTP, MST and more.
In all spanning-tree protocol, the first step over network spanning-tree convergence is “Root election” – one switch that has the lowest “priority value” (yes, in spanning-tree the lowest value is the best one). In case two switches have the same priority value, a MAC address is used to break tie.
In the end of the Spanning –tree convergence process, all switches will know what switch is the root switch. In the end of the process – the switches form some kind of a tree where every “loop” breaks – this means, at least one interface will stop functioning.
You have to harden the form of the spanning tree. Consider one or two possible Root switches (usually these are the Backbone switches). The two Root switches needs to have the lowest priority in the network. Keep in mind that this will happen only if you specifically configure it on the two switches.
Another hazard to keep in mind is users that connect new switches on their own without the administrator knowing. A common user may need more outlets to plug more computers to the network, connect a switch (from home) to the plug and connect the other computers to the switch for connectivity. At first, say may seem harmless but in fact this is one of the major reasons to broadcast storms.
You will want to configure your switch to shut down this user when he tries to connect an external switch to the network. Cisco has several features to create this tree hardening – BPDUguard, BPDUfilter, ROOTguard and more. Use it wisely.
Mix of spanning tree protocols over one L2 network
When you create your network, you will probably want to buy switches from the same vendor (one brand name). The reason is mainly compatibility. When you buy several switches from different vendors you usually have trouble with protocols interconnections, just like spanning-tree. The Spanning-tree stack of protocols has only one Standard IEEE protocol – the 802.1D standard spanning-tree protocol. But sometimes different vendors take different security mechanisms, different timers and so on. You will want to avoid this. Create a Laboratory and compatibility tests before you buy the switches for real.
If you already have a Layer2 network and you had to add new switches from different vendors – you have to harden all parameters. In spanning-tree you have to make sure that the connections between the two vendors are consistent – no different configurations or timers or VLANs between the vendors.
For example, with Cisco usually the switches support only PSTP+ and RSTP. This means that the Cisco switches have several Spanning-tree instances – one of their own (the frames are sent over special Cisco multicast address that other vendors can’t interpret - 01:00:0c:cc:cc:cc) and the other is the standard instance (the frames are sent over the standard 802.1D multicast MAC address). Cisco takes some protection spanning-tree measures that are not even configurable. If they get a Spanning-tree frame from one VLAN that was meant for another VLAN instance – the Switch will automatically shut down the interface\port. The way to avoid this is to configure the same Native-VLAN or UNTAGGED_VLAN to all 802.1Q trunks, without exceptions.
Configure specifically the same values for all spanning-tree arguments.
CDP and LLDP
CDP stands for Cisco Discovery Protocol and is a Layer2 protocol developed by Cisco to publish to everyone connected to the network all the details of the switches:
- IP addresses
- IOS image
- switch capabilities
- and so on.
You don’t want a simple user to see this information. Consider CDP as a major security risk to disable it completely.
LLDP is just like CDP (but not Cisco proprietary) and you must disable it too.
Communication separation is an important security measure. To create a communication separation is rather simple step to take – just get a Firewall or create an Access-List on your router. These devices will get you Layer 3 or IP-dependent rules for separation.
Getting Layer-2 rules for separation is rather difficult. You don’t have many options, Cisco provide you VLAN-ACL – create actual layer 2 rules, but these rules can be tricky and hard to maintain.
Private VLAN is an important concept not known to many administrators. You can take one VLAN (or sub-Network) and while keeping the same IP address scheme – providing Layer2 communication separation between devices.
Part your subnet\VLAN to several groups. Every group will be called a “Private VLAN” group. Now, you can configure different behaviors for this but the idea is clear. Keep important servers and workstations in different private VLANs to keep it safe.
Connectivity Protocol’s protection
This section is more of a Layer3 thing but still, all the information is published in Layer2 so it is still relevant!
There are many common protocols that are not safe if you don’t configure them to be. Every protocol that publishes any information outside of the router should be considered a hazard.
OSPF has three mode of security: Null, plain and MD5. This is not much, but try to configure MD5 password in your OSPF network.
EIGRP, HSRP and GLBP authentication has the same issues as OSPF. Try to configure MD5 passwords.
SNMP stands for Simple Network Management Protocol and it has three versions to offer: 1, 2 and 3. SNMP is simple by yet - a very powerful protocol. Using SNMP, one can receive all the device’s details. Think about it – a hacker can really use this kind of information – he\she can get access to IP addresses, protocol, credentials, authorization passwords and mush more.
SNMP has several types of messages. The most important ones are “set” messages and “get” messages. “Set” messages are used to set new values to device’s parameters and configuration arguments. “Get” messages are used to get information regarding configuration and operation of the device.
The difference between the SNMP versions is the protection of the SNMP traffic. Version 1 and 2 provide some measures of security – but everyone can capture SNMP traffic, see the management information and re-use it for other needs. SNMPv3 is the only management protocol that takes real performance, security and confidentiality measures to protect the SNMP traffic and management information. It hashes the data in the SNMP traffic and protects it in the best possible way. So, if you need to configure SNMP on your device – pick SNMPv3!
Disable “set” messages
Another security measure to take is it to disable the “Set” messages of SNMP (any version for this matter). If you don’t really need it (using some Management software) you need to disable it on the device configuration.
Use hard passwords and Secured Protocols!
There are several measures that need to be taken care of regarding Terminal security:
- Every administrator configures passwords for remote terminal communications with Telnet. Try to use SSH instead and disable Telnet completely. The reason for this is that Telnet content is not classified over the network and with the right tools a hacker can capture Telnet traffic and parse your passwords and credentials.
- Use Radius\TACACS server for password authentication. Don’t keep your passwords and credentials local on the devices.
- The most important thing is to keep the location of your network devices safe under a lock. Don’t let anyone physical access to your equipment.
- The last thing is to keep also a Console authorization safe (just for a rainy day).