Microsoft PowerPoint - 2.Catalyst Switch Intrastructure Protection_이충용_V1 0.ppt [호환 모드]

Size: px
Start display at page:

Download "Microsoft PowerPoint - 2.Catalyst Switch Intrastructure Protection_이충용_V1 0.ppt [호환 모드]"

Transcription

1 Catalyst Switch Infrastructure Protection Cisco Systems Korea SE 이충용

2 Overview DoS (Denial of Service) 공격대상 - Server Resource - Network Resource - Network devices (Routers, Firewalls 등 ) 스위치장비는단지스위치장비일뿐! But, 스위치장비에서도최소한의 DoS 공격을막고, 또한자신의 Resource를보호하자!! Catalyst Switch Security Feature Set!!

3 Overview DoS 트래픽으로인한 Server/Network Resource 점유현상차단 / 완화 - Storm Control IP Spoofing의차단 - DHCP 환경 DHCP Snooping ( 잘못된 IP Address 할당차단 ) Dynamic ARP Inspection (ARP Attack 차단 ) IP Source Guard - 일반환경 (Static or DHCP 환경 ) Unicast Reverse Path Forwarding Catalyst Switch 장비 Resource 보호 - Port Security - Spanning tree protocol security - Control Plane Policing

4 Storm Control Storm Control 의목적은 - DoS Attack의차단또는완화 - Large Volume 의 Packet 으로인한 Server/NW Resource 부족을방지 Concept - Port / interface별로트래픽유형에따른사용한도를적용 - 설정한한도를초과할경우스위치 Action 설정이가능 - 트래픽유형.Unicast, Multicast, Broadcast - 설정기준 : Util or pps

5 Storm Control How to Config - R(config)# interface {{type slot/port} {port-channel number}} - R(config-if)# if)# storm-control broadcast level level[.level] level] - R(config-if)# storm-control multicast level level[.level] - R(config-if)# storm-control unicast level level[.level] Example - R(config)# interface gigabitethernet th t 3/16 - R(config-if)# storm-control broadcast level R(config-if)# if)# end

6 DHCP Snooping DHCP Snooping 의목적은 - 사설및 Rogue DHCP 서버에서제공하는잘못된 IP 어드레스를 Client 가 사용하지못하게함. Concept - Un-trusted Port는 Client에서만사용하고, 이 Port에서 DHCP서버가 Client에게 IP를할당하는 Packet이들어오면 Drop을시킴. - Trusted Port 에서만 DHCP 서버에서제공하는 IP 를할당. DHCP Client DHCP Offers, Acks, etc. DHCP Server DHCP Client DHCP Offers, Acks, etc. Rogue DHCP Server

7 DHCP Snooping DHCP Snooping 이적용되면, 새로운 Dtb Database 가생성되고유지됨. - MAC Address, IP Address - Lease Time and VLAN port information 이렇게생성된 Database 는 Dynamic ARP 또는 IP Source Guard 에서 사용이됨. VLAN Interface MAC Address IP Address 100 E 2/5 00:0F:20:3B:BA: DHCP Client Binding Table DHCP Server

8 DHCP Snooping How to Config - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan {{vlan_id [vlan_id]} {vlan_range} - R(config)# interface {type slot/port port-channel number} - R(config-if)# ip dhcp snooping trust Example - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan R(config)# interface fastethernet 5/12 - R(config-if)# ip dhcp snooping trust

9 Dynamic ARP Inspection ARP Attack 방법. - Attacker가 Gratuitous ARP를보냄. - 해당 Device 의 ARP Cache 를변경한후, PC_A 와 PC_B 간의교환되는 Traffic이전부 Attacker의 PC로전송됨. PC_A I m PC_B and this is my MAC Gratuitous ARP To PC_A The Attacker sees all their traffic Attacker I m PC_A and this is my MAC PC_B

10 Dynamic ARP Inspection Dynamic ARP Inspection 의목적은 - ARP spoofing attack의차단 - ARP Cache poisoning의차단 Concept - Un-trusted port 로들어오는잘못된 Gratuitous ARP Packet 을차단. - DHCP snooping에서생성된 Database를사용. VLAN Interface MAC Address IP Address 100 E 2/5 00:0F:20:3B:BA: E 2/1 00:0A:20:1B:AA: Gratuitous ARP... IP = MAC = 00:0A:20:1B:AA:76 SW Binding Table MAC = 00:0F:20:3B:BA:85 IP =

11 Dynamic ARP Inspection How to Config - R(config)# ip arp inspection vlan vlan_range - R(config)# interface {type slot/port port-channel number} - R(config-if)# ip arp inspection trust Example - R(config)# ip arp inspection vlan R(config-if)# if)# interface fastethernet th t 5/12 - R(config-if)# ip arp inspection trust - R(config-if)# if)# end

12 IP Source Guard IP Source Guard 의목적은 - IP address spoofing 차단 - DHCP 환경에서사용자임의의 IP Address 사용을차단. Concept - DHCP snooping을통해, 특정 Port에연결된 Node가할당받은 IP Address만허용 ( 모든다른 Traffic은 Block됨 ) MAC = 00:0F:20:3B:BA:85 IP = IP packet with spoofed address IP = Interface MAC Address IP Address MAC = 00:0A:20:1B:AA:76 E 2/5 00:0F:20:3B:BA: E 2/1 00:0A:20:1B:AA:

13 IP Source Guard How to Config - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan number [number] - R(config)# interface {type slot/port port-channel number} - R(config-if)# no ip dhcp snooping trust - R(config-if)# ip verify source [vlan {dhcp-snooping vlan-list}] [port-security] Example - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan R(config)# interface fastethernet 5/12 - R(config-if)# no ip dhcp snooping trust - R(config-if)# ip verify source vlan dhcp-snooping

14 Unicast Reverse Path Forwarding urpf 의목적은 - IP address spoofing 의차단 Concept - Interface로들어오는모든 Packet의 Source IP address에대해, 같은 Interface에서 reachable 여부를검증하여적정한 Packet만처리 두가지 urpf 모드가있음 - Strict Mode: 들어오는 Packet의 Source IP address가같은 Interface 에서 Reverse Path 가있는경우만처리. - Loose Mode: 들어오는 Packet의 Source IP address가장비내, Reverse Path가있는경우만처리 (exception Null 0)

15 Unicast Reverse Path Forwarding How to Config - R(config)# interface {type slot/port port-channel number} - R(config-if)# if)# ip verify unicast source reachable-via {rx any} [allow-default] [list] Example - R(config)# interface fastethernet 5/12 - R(config-if)# if)# ip verify unicast source reachable-via any

16 Port Security Port Security 의목적은 - MAC Spoofing, Flooding 차단 - CAM attack tools의차단 CAM: Content Addressable Memory Concept - Port당 Learning되는 MAC address의개수를제한 - Port당 MAC address의고정 (Option) - Port 당 Learning 된 MAC address 를고정하여적용 (Option, Sticky) MAC Table flooding

17 Port Security How to Config - R(config)# interface {type slot/port port-channel number} - R(config-if)# switchport port-security - R(config-if)# switchport port-security violation {protect restrict shutdown} - R(config-if)# if)# switchport port-security maximum number_of_addresses vlan {vlan_id vlan_range] - R(config-if)# switchport port-security mac-address [sticky] mac_address address [vlan vlan_id] Example - R(config)# interface fastethernet 5/12 - R(config-if)# switchport port-security - R(config-if)# if)# switchport port-security violation protect - R(config-if)# switchport port-security maximum 5 - R(config-if)# switchport port-security mac-address b

18 Spanning tree protocol security STP 의취약점 - STP 는매우유용한 Protocol 이지만, 몇가지 attack 에대한취약점을 가지고있음 - Topology의임의변경을방지하기위한인증및암호화기능없음 - Attacker가손쉽게 bogus BPDU을발생하여, Topology 재계산발생을유도 네트워크서비스의단절및 Loop발생으로서비스장애유발 STP 를사용하는 Bid Bridged d Nt Network 의보호를위해아래와같은 STP Security를적용 - BPDU Guard - STP root guard

19 Spanning tree protocol security BPDU Guard - Port-Fast 가적용된 Interface 에서 BPDU Packet 이들어오는경우, 해당 Port 를 Shutdown 시킴. - 해당 Port에 STP enable된스위치설치가불가함. Root Guard - Root Guard가적용된 Port로 Superior BPDU가수신되자마자해당 BPDU 를 Block 하게됨

20 Spanning tree protocol security How to Config - R(config)# spanning-tree portfast bpduguard default - R(config-if)# if)# spanning-tree guard root

21 Control Plane Policing g( (CoPP) Control Plane 이란? CPU - Catalyst 6500 & 4500등의 Supervisor는 (Control Plane) Data Plane 과 Control Plane 으로구성. - Data Forwarding에대한처리는 Data Plane에서처리 Control Plane Interface Forwarding Plane (Data Plane) 일반적으로다음과같은 Packet이 Control Plane 의 Mi Main CPU 에서처리됨 - Routing protocols - Router 의 Local IP 로들어오는 Packet Linecard Linecard - Network Management Protocol ex) SNMP - Interactive Access protocol ex) SSH, Telnet - Other Protocols ex) ICMP, IP Option - Layer 2 Packets ex) BPDU, CDP, Dot1x

22 Control Plane Policing g( (CoPP) DoS Attack 은 High Rates 트래픽을 Control-Plane 으로전송함으로써, Control-Plane자원 (CPU, Memory 등 ) 을점유 스위치의 Control-Plane이공격을당하게되면, Catalyst 스위치의가용성문제가발생되어단일 Server가아닌, Network 전제가 Down되어큰 Business-Impact가발생. CoPP 의목적은? - 장비로 Direct 들어오는 DoS Attack으로부터 Control-Plane을보호 Concept - Control-Plane으로들어가는트래픽을 QoS기능을활용하여 Filter하고통제함으로써, Control-Plane을보호 - Hardware-based feature

23 Control Plane Policing g( (CoPP) CoPP 가 Enable 되면, 다음과같은절차를통해 Control-Plane 을보호함. 1) Packet이 CoPP가설정된장비의 Ingress Interface로들어옴 2) Input Port /Interface 의적용된 ACL 및 QoS 을적용 3) Packet을 Data-Plane (Switch CPU) 로전송 4) Switch CPU는 Routing or Switching 결정을한후, Control-Plane으로 Packet 전송여부를결정 5) Control-Plane으로들어오는해당 Packet을 CoPP가처리하여, 트래픽 Class Policy 에의해, Drop or Control-Plane 으로전송

24 Control Plane Policing g( (CoPP) How to Config (URL 참조 ) F/native/configuration/guide/dos.html

25 Q & A

26