Additional Switch Controls-Layer 2
The following are additional controls for switches, or layer 2 devices.
1 Verify that administrators avoid using VLAN 1.
By default, all ports on a Cisco switch are members of VLAN 1. Avoiding the use of VLAN 1 prevents network intruders from plugging into unused ports and communicating with the rest of the network.
How
Discuss this practice with the administrator, and review the configuration file for the existence of VLAN 1.
2 Evaluate the use of trunk autonegotiation.
A trunk on a switch joins two separate VLANs into an aggregate port, allowing traffic access to either VLAN. There are two trunking protocols, 802.1q, which is an open standard, and ISL, which was developed by Cisco. Some switch types and software versions are set to autotrunking mode, allowing a port to attempt automatically to convert the link into a trunk. Dynamic Trunking Protocol (DTP) might help to determine which trunking protocol it should use and how the protocol should operate. If this is the case, then generally speaking, all the VLANs on the switch become members of the new trunked port. Disabling trunk autonegotiation mitigates the risks associated with a VLAN-hopping attack, whereby someone in one VLAN is able to access resources in another VLAN.
How
Discuss with the network administrator, and review the configuration file. There are five best practices that may help you to decide if the trunk autonegotiation is set appropriately on the ports in your switch. The examples and practices come from the NSA Switch Configuration Guide.
-
Do not use the Dynamic Trunking Protocol (DTP) if possible. Assign trunk interfaces to a native VLAN other than VLAN 1.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 998
-
Put nontrunking interfaces in permanent nontrunking mode without negotiation.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate
-
Put trunking interfaces in permanent trunking mode without negotiation.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
-
Specifically list all VLANs that are part of the trunk.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport trunk allowed vlan 6, 10, 20, 101
-
Use a unique native VLAN for each trunk on a switch.
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport trunk native vlan 998
Switch(config)# interface fastethernet 0/2
Switch(config-if)# switchport trunk native vlan 997
3 Verify that Spanning-Tree Protocol attack mitigation is enabled (BPDU Guard, Root Guard).
Risks associated with this type of attack include giving an attacker the ability to use the Spanning-Tree Protocol to change the topology of a network. The Spanning-Tree Protocol is designed to prevent network loops from developing. The switch will learn the network topology and move a port through four stages from block, listen, learn, and forward as it ensures that an endless loop isn't developing in the network traffic patterns.
How
Discuss with the network administrator, and review the configuration file. For access ports, look for the following configuration:
spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable
For downlink ports to other switches, look for the following configuration:
spanning-tree guard root
4 Evaluate the use of VLANs on the network.
VLANs should be used to break up broadcast domains and, where necessary, to help divide resources with different security levels.
How
Discuss the application of VLANs with the network administrator. Devices at different security levels ideally should be isolated on separate switches or layer 2 devices. For example, if you have equipment that, for some reason, cannot be protected with the company's standard antivirus software and security patches, you could place that equipment on a separate VLAN.
5 Disable all unused ports and put them in an unused VLAN.
This setup prevents network intruders from plugging into unused ports and communicating with the rest of the network.
How
Discuss this practice with the network administrator.
6 Evaluate use of the VLAN Trunking Protocol (VTP) in the environment.
VTP is a layer 2 messaging protocol that distributes VLAN configuration information over trunks. VTP allows the addition, deletion, and renaming of VLANs on a network-wide basis. A network attacker could add or remove VLANs from the VTP domain as well as create Spanning-Tree Protocol loops. Both situations can lead to disastrous results that are very difficult to troubleshoot. This would not have to be a malicious event. A switch with a higher configuration version number in its VTP database has authority over other switches with a lower number. If you had a lab switch such as this one and placed it on the production network, you might accidently reconfigure your entire network.
How
Discuss use of the VTP with the network administrator to ensure that passwords are used if the VTP is necessary. VTP should be turned off if it's not used. The VTP mode of a switch can be server, client, or transparent. Use transparent mode unless client or server is required.
If VTP is necessary, then domains should be set up for different areas of the network, and passwords should be enabled. Look for these lines in the configuration file:
vtp domain domain_name vtp password Some_strong_password
7 Verify that thresholds exist that limit broadcast/ multicast traffic on ports.
Configuring storm controls helps to mitigate the risk of a network outage in the event of a broadcast storm.
How
Discuss with the administrator and review the configuration file for the presence of storm-control [broadcast | multicast | unicast] level.
EAN: N/A
Pages: 159