Catalyst Switch Infrastructure Protection Cisco Systems Korea SE 이충용 (choolee@cisco.com)
Overview DoS (Denial of Service) 공격대상 - Server Resource - Network Resource - Network devices (Routers, Firewalls 등 ) 스위치장비는단지스위치장비일뿐! But, 스위치장비에서도최소한의 DoS 공격을막고, 또한자신의 Resource를보호하자!! Catalyst Switch Security Feature Set!!
Overview DoS 트래픽으로인한 Server/Network Resource 점유현상차단 / 완화 - Storm Control IP Spoofing의차단 - DHCP 환경 DHCP Snooping ( 잘못된 IP Address 할당차단 ) Dynamic ARP Inspection (ARP Attack 차단 ) IP Source Guard - 일반환경 (Static or DHCP 환경 ) Unicast Reverse Path Forwarding Catalyst Switch 장비 Resource 보호 - Port Security - Spanning tree protocol security - Control Plane Policing
Storm Control Storm Control 의목적은 - DoS Attack의차단또는완화 - Large Volume 의 Packet 으로인한 Server/NW Resource 부족을방지 Concept - Port / interface별로트래픽유형에따른사용한도를적용 - 설정한한도를초과할경우스위치 Action 설정이가능 - 트래픽유형.Unicast, Multicast, Broadcast - 설정기준 : Util or pps
Storm Control How to Config - R(config)# interface {{type slot/port} {port-channel number}} - R(config-if)# if)# storm-control broadcast level level[.level] level] - R(config-if)# storm-control multicast level level[.level] - R(config-if)# storm-control unicast level level[.level] Example - R(config)# interface gigabitethernet th t 3/16 - R(config-if)# storm-control broadcast level 70.5 - R(config-if)# if)# end
DHCP Snooping DHCP Snooping 의목적은 - 사설및 Rogue DHCP 서버에서제공하는잘못된 IP 어드레스를 Client 가 사용하지못하게함. Concept - Un-trusted Port는 Client에서만사용하고, 이 Port에서 DHCP서버가 Client에게 IP를할당하는 Packet이들어오면 Drop을시킴. - Trusted Port 에서만 DHCP 서버에서제공하는 IP 를할당. DHCP Client DHCP Offers, Acks, etc. DHCP Server DHCP Client DHCP Offers, Acks, etc. Rogue DHCP Server
DHCP Snooping DHCP Snooping 이적용되면, 새로운 Dtb Database 가생성되고유지됨. - MAC Address, IP Address - Lease Time and VLAN port information 이렇게생성된 Database 는 Dynamic ARP 또는 IP Source Guard 에서 사용이됨. VLAN Interface MAC Address IP Address 100 E 2/5 00:0F:20:3B:BA:85 1.1.1.116 DHCP Client Binding Table DHCP Server
DHCP Snooping How to Config - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan {{vlan_id [vlan_id]} {vlan_range} - R(config)# interface {type slot/port port-channel number} - R(config-if)# ip dhcp snooping trust Example - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan 10 12 - R(config)# interface fastethernet 5/12 - R(config-if)# ip dhcp snooping trust
Dynamic ARP Inspection ARP Attack 방법. - Attacker가 Gratuitous ARP를보냄. - 해당 Device 의 ARP Cache 를변경한후, PC_A 와 PC_B 간의교환되는 Traffic이전부 Attacker의 PC로전송됨. PC_A I m PC_B and this is my MAC Gratuitous ARP To PC_A The Attacker sees all their traffic Attacker I m PC_A and this is my MAC PC_B
Dynamic ARP Inspection Dynamic ARP Inspection 의목적은 - ARP spoofing attack의차단 - ARP Cache poisoning의차단 Concept - Un-trusted port 로들어오는잘못된 Gratuitous ARP Packet 을차단. - DHCP snooping에서생성된 Database를사용. VLAN Interface MAC Address IP Address 100 E 2/5 00:0F:20:3B:BA:85 1.1.1.116 100 E 2/1 00:0A:20:1B:AA:76 1.1.1.24 Gratuitous ARP... IP = 1.1.1.116 MAC = 00:0A:20:1B:AA:76 SW Binding Table MAC = 00:0F:20:3B:BA:85 IP = 1.1.1.116
Dynamic ARP Inspection How to Config - R(config)# ip arp inspection vlan vlan_range - R(config)# interface {type slot/port port-channel number} - R(config-if)# ip arp inspection trust Example - R(config)# ip arp inspection vlan 100 - R(config-if)# if)# interface fastethernet th t 5/12 - R(config-if)# ip arp inspection trust - R(config-if)# if)# end
IP Source Guard IP Source Guard 의목적은 - IP address spoofing 차단 - DHCP 환경에서사용자임의의 IP Address 사용을차단. Concept - DHCP snooping을통해, 특정 Port에연결된 Node가할당받은 IP Address만허용 ( 모든다른 Traffic은 Block됨 ) MAC = 00:0F:20:3B:BA:85 IP = 1.1.1.116 IP packet with spoofed address IP = 1.1.1.116 Interface MAC Address IP Address MAC = 00:0A:20:1B:AA:76 E 2/5 00:0F:20:3B:BA:85 1.1.1.116 E 2/1 00:0A:20:1B:AA:76 1.1.1.24
IP Source Guard How to Config - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan number [number] - R(config)# interface {type slot/port port-channel number} - R(config-if)# no ip dhcp snooping trust - R(config-if)# ip verify source [vlan {dhcp-snooping vlan-list}] [port-security] Example - R(config)# ip dhcp snooping - R(config)# ip dhcp snooping vlan 10 20 - R(config)# interface fastethernet 5/12 - R(config-if)# no ip dhcp snooping trust - R(config-if)# ip verify source vlan dhcp-snooping
Unicast Reverse Path Forwarding urpf 의목적은 - IP address spoofing 의차단 Concept - Interface로들어오는모든 Packet의 Source IP address에대해, 같은 Interface에서 reachable 여부를검증하여적정한 Packet만처리 두가지 urpf 모드가있음 - Strict Mode: 들어오는 Packet의 Source IP address가같은 Interface 에서 Reverse Path 가있는경우만처리. - Loose Mode: 들어오는 Packet의 Source IP address가장비내, Reverse Path가있는경우만처리 (exception Null 0)
Unicast Reverse Path Forwarding How to Config - R(config)# interface {type slot/port port-channel number} - R(config-if)# if)# ip verify unicast source reachable-via {rx any} [allow-default] [list] Example - R(config)# interface fastethernet 5/12 - R(config-if)# if)# ip verify unicast source reachable-via any
Port Security Port Security 의목적은 - MAC Spoofing, Flooding 차단 - CAM attack tools의차단 CAM: Content Addressable Memory Concept - Port당 Learning되는 MAC address의개수를제한 - Port당 MAC address의고정 (Option) - Port 당 Learning 된 MAC address 를고정하여적용 (Option, Sticky) MAC Table flooding
Port Security How to Config - R(config)# interface {type slot/port port-channel number} - R(config-if)# switchport port-security - R(config-if)# switchport port-security violation {protect restrict shutdown} - R(config-if)# if)# switchport port-security maximum number_of_addresses vlan {vlan_id vlan_range] - R(config-if)# switchport port-security mac-address [sticky] mac_address address [vlan vlan_id] Example - R(config)# interface fastethernet 5/12 - R(config-if)# switchport port-security - R(config-if)# if)# switchport port-security violation protect - R(config-if)# switchport port-security maximum 5 - R(config-if)# switchport port-security mac-address 0090.2b03.3408
Spanning tree protocol security STP 의취약점 - STP 는매우유용한 Protocol 이지만, 몇가지 attack 에대한취약점을 가지고있음 - Topology의임의변경을방지하기위한인증및암호화기능없음 - Attacker가손쉽게 bogus BPDU을발생하여, Topology 재계산발생을유도 네트워크서비스의단절및 Loop발생으로서비스장애유발 STP 를사용하는 Bid Bridged d Nt Network 의보호를위해아래와같은 STP Security를적용 - BPDU Guard - STP root guard
Spanning tree protocol security BPDU Guard - Port-Fast 가적용된 Interface 에서 BPDU Packet 이들어오는경우, 해당 Port 를 Shutdown 시킴. - 해당 Port에 STP enable된스위치설치가불가함. Root Guard - Root Guard가적용된 Port로 Superior BPDU가수신되자마자해당 BPDU 를 Block 하게됨
Spanning tree protocol security How to Config - R(config)# spanning-tree portfast bpduguard default - R(config-if)# if)# spanning-tree guard root
Control Plane Policing g( (CoPP) Control Plane 이란? CPU - Catalyst 6500 & 4500등의 Supervisor는 (Control Plane) Data Plane 과 Control Plane 으로구성. - Data Forwarding에대한처리는 Data Plane에서처리 Control Plane Interface Forwarding Plane (Data Plane) 일반적으로다음과같은 Packet이 Control Plane 의 Mi Main CPU 에서처리됨 - Routing protocols - Router 의 Local IP 로들어오는 Packet Linecard Linecard - Network Management Protocol ex) SNMP - Interactive Access protocol ex) SSH, Telnet - Other Protocols ex) ICMP, IP Option - Layer 2 Packets ex) BPDU, CDP, Dot1x
Control Plane Policing g( (CoPP) DoS Attack 은 High Rates 트래픽을 Control-Plane 으로전송함으로써, Control-Plane자원 (CPU, Memory 등 ) 을점유 스위치의 Control-Plane이공격을당하게되면, Catalyst 스위치의가용성문제가발생되어단일 Server가아닌, Network 전제가 Down되어큰 Business-Impact가발생. CoPP 의목적은? - 장비로 Direct 들어오는 DoS Attack으로부터 Control-Plane을보호 Concept - Control-Plane으로들어가는트래픽을 QoS기능을활용하여 Filter하고통제함으로써, Control-Plane을보호 - Hardware-based feature
Control Plane Policing g( (CoPP) CoPP 가 Enable 되면, 다음과같은절차를통해 Control-Plane 을보호함. 1) Packet이 CoPP가설정된장비의 Ingress Interface로들어옴 2) Input Port /Interface 의적용된 ACL 및 QoS 을적용 3) Packet을 Data-Plane (Switch CPU) 로전송 4) Switch CPU는 Routing or Switching 결정을한후, Control-Plane으로 Packet 전송여부를결정 5) Control-Plane으로들어오는해당 Packet을 CoPP가처리하여, 트래픽 Class Policy 에의해, Drop or Control-Plane 으로전송
Control Plane Policing g( (CoPP) How to Config (URL 참조 ) http://www.cisco.com/en/us/docs/switches/lan/catalyst6500/ios/12.2sx F/native/configuration/guide/dos.html
Q & A