Page 1
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1
Cisco IOS Advantage Webinars Securing the Access Layer
Jason Frazier / Andrew Yourtchenko / Ralph Schmieder
We’ll get started a few minutes past the top of the hour.
Note: you may not hear any audio until we get started.
Page 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Speakers
Jason Frazier
Ralph Schmieder
Andrew Yourtchenko
Panelists
Shelly Cadora
Ken Hook
Eric Vyncke
Page 3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Submit questions in Q&A panel and send to “All Panelists”
Avoid CHAT window for better access to panelists
• For Webex audio, select COMMUNICATE > Join Audio Broadcast
• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel
• Where can I get the presentation?
https://communities.cisco.com/docs/DOC-29149
Or send email to: [email protected]
• Please fill in Survey at end of event
• Join us on June 6 for our next IOS Advantage Webinar:
Deploying Application Visibility and Control Policies
Page 4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Risk and Exposure
• Exposed to end users, the access layer is inherently vulnerable
Infrastructure Protection
• Security at the network edge protects the network infrastructure
Network Intelligence
• Key data can only be gathered at the access layer
Page 5
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
• Establish perimeter
• Block Known Attack
Vectors
• Apply Best Practices
• Make L2 and L3 Flows
Centrally Visible
• Collect Detailed Telemetry
of Endpoints
Enforce Monitor
Page 6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Intro
Establish the Perimeter
Monitor
IPv6 Refresher
SeND
Distributed vs. Centralized
IPv6 Vulnerabilities and Attack Vectors
Enforce
Conclusion
Page 7
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 7
Page 8
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
No Access For
Unknown Users AC
Employee
Customizable Access
for Authenticated
Users and Devices
IEEE 802.1X Is Like a Port Firewall
Page 9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Switch
Hub
Endpoint 1
Single Host (802.1X)
Endpoint 2
Only one MAC Address is
allowed. 2nd MAC Address
causes Security Violation
dACL
Switch
Hub
Endpoint 1
Multi-Host
Endpoint 2
1st MAC Address is
authenticated. 2nd endpoint
piggybacks on 1st MAC Address
authentication and bypass
authentication
Authenticated Piggyback
VLAN*
Switch
Endpoint 1
Multi-Domain Auth (MDA)
Endpoint 2
Each domain (Voice or Data)
authenticates one MAC
address. 2nd MAC address on
each domain causes security
violation
Data
Voice
VLAN dACL
Switch
Endpoint 1
Multi-Authentication
Endpoint 2
Voice domain authenticates
one MAC address. Data
domain authenticates multiple
MAC addresses. dACL or
single VLAN Assignment for all
devices are supported
Data Data
Voice
dACL VLAN*
VLAN
Page 10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Known Attack Vectors:
• Spoofing and MITM
• Bypassing NAC Requirements
Sophisticated, commercial Tools available (Example: Pwn Plug Elite)
How to address this?
Page 11
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Employee
AC 3
Even with physical access,
rogue users cannot monitor
or spoof encrypted traffic
Uplink
MACSec
Downlink
MACSec
Page 12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
*Network Edge Authentication Topology
Extend Trust into physically unsecured locations
(e.g., conference rooms, cubicles, etc.
Prevent unauthorized network extensions
Secure access control for shared media access
Industry
first
ISE
CORPORATE RESOURCES
SiSi
SiSi SiSi
SiSi
Secure Insecure
Perimeter
Demarcation
Page 13
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Not all networks are alike –
Cisco offers a solution that suits your needs!
Page 14
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Solution
• Securing the perimeter is part of TrustSec
• This includes Policy Server and proven designs which span across multiple technologies
Deployment Models
• Pick what is best suited for your environment
• Adapt the solution to changing security requirements
Feature Rich Implementation
• Successful implementation in Real World Networks goes way beyond basic authentication
• Address all networked devices, known and unknown
• BYOD as part of the solution
Guidelines available
• TrustSec Design & Implementation Guide (DIG, www.cisco.com/go/trustsec)
• Whitepapers, Data Sheets and Presentations (www.cisco.com/go/ibns)
Page 15
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 19
Page 16
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
• Can I identify network attacks on before impacting productivity?
• Can I prevent loss of data and employee productivity in case of attacks?
• Can I protect the company’s brand and reputation?
Page 17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
• Know the applications running in your network
• Know what devices are accessing what resources
• Perform capacity planning
Know your
network
• All flows available with greatest detail
• Locate the source precisely: Get MAC-address and access port information associated with the flow
• Location Awareness: Map ports to location
From the wiring closet
• Correlate Flow, Port and MAC
• Mapping user identity to the flows is the next step
• External Software to analyze, correlate and alarm.
• Anomaly Detection and Reporting
And more
Flo
w A
naly
sis
Page 18
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Attack
Countermeasure
Smart Logging/Telemetry
Via Netflow v9
NetFlow Collector
Visibility with Smart Logging
• Is the access layer under attack?
• What is the nature of the attack
• Are my countermeasures working?
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10745/product_bulletin_c25-658743_ps6406_Products_Bulletin.html
Page 19
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Page 20
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Visibility With IOS Sensor
• Correlate CDP, LLDP, DHCP, MAC OUI, RADIUS, NetFlow
Data and Location
• Centralized Profiling and Analysis at ISE
SSC
Employee (bad credential)
802.1X
SSC
Employee
Guest
Managed Assets
Rogue
ISE
CDP DHCP
Netflow
LLDP RADIUS
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html
Page 21
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Page 22
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
What
‘Monitor Mode’
Authenticate without authorizing
802.1X / MAB reveal who / what
Everyone still gets full access
Why
Leverage existing information
Prepare for access control
The “easy button” for 802.1X
SSC
RADIUS Authentication &
Accounting Logs
• Username, MAC Address, IP
Address, Switch, Port, Usage
statistics – all in one place!
• Passed/Failed 802.1X attempts
Valid / invalid 802.1X-capable
endpoints
• Passed/Failed MAB attempts
Valid / unknown MACs
ISE
Page 23
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 27
Page 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.
• It encompasses:
• Address configuration parameters
• Address initialization
• Address resolution
• Default gateway discovery
• Local network configuration
• Neighbor reachability tracking
Page 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
NDP (ARP replacement in IPv6)
• Discover other hosts & routers on local network
• Incorporates many features from older link-layer protocols
• Makes extensive use of IPv6 multicast addresses
• Operates using ICMPv6
• About other hosts
• Address Resolution*
• Duplicate Addresses
• Neighbor Unreachable
• Next Hop
• About routers
• Discovery
• Network Prefix
• Network Parameters
• Autoconfiguration
NDP is also the protocol used to learn information:
* Like we used to do with ARP
Page 26
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
• Neighbor solicitation (NS)
• Neighbor advertisements (NA)
• Router solicitation (RS)
• Router advertisements (RA)
• Neighbor Unreachability Detection (NUD)
• Duplicate Address Detection (DAD)
• Redirects
Primary ICMPv6 NDP Messages
All can be used as attack vectors! Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)
NDP
RA RS
NS NA
Redirects
NUD
DAD
IPv6
SLAAC
• IPv6 Stateless Address Auto Configuration (SLAAC)
Page 27
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
End-nodes exposed to many threats
• Address configuration parameters: Trickery on configuration parameters
• Address initialization: Denial of address insertion
• Address resolution: Address stealing
• Default gateway discovery: Rogue routers
• Local network configuration: Trickery on configuration parameters
• Neighbor reachability tracking: Trickery on neighbor status
Malicious nodes can hide on the link
• To disrupt link-operations
• To poison neighbor caches
• To attack on-link or off-link victims
• To highjack key roles such as routers or DHCP servers
Malicious nodes can sit anywhere in the network
• To launch DoS attacks on last-router and exploit link-operations security caveats
Page 28
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?
• More addresses!
• More end-nodes allowed on the link (up to 264 !)
• Bigger neighbor cache on end-nodes and on default-router
• May lead to some dramatic topology evolution
• Creates new opportunities for DoS attacks
Threats are also dependent on the protocols in use: what is different?
• More distributed and more autonomous operations
• Nodes discover automatically their default router
• Nodes auto-configure their addresses
• Nodes defend themselves (SeND)
• Distributed address assignment creates more challenges for address security
Page 29
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
DHCP-server
– Announces link parameters
Self assign addresses
– Assign addresses
Legacy IPv4 link model is very much DHCP-centric
DHCP-server – Announces default router
Self assign addresses
Self assign addresses
IPv6 link model is essentially distributed, with DHCP playing a minor role
Page 30
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 34
Page 31
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Distributed Security ≡ Secure Neighbor Discovery
WHAT SEND PROVIDES
• Each node on the link takes care of its own security
• Verifies router legitimacy
• Verifies address ownership
WHAT SEND DOES NOT PROVIDE
• It does not verify other key role legitimacy (DHCP server, NTP, etc.)
• It only applies to link operations
• It does not provide end-to-end security
• It does not guarantee authorization (≠ 802.1X)
Page 32
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
ND-message
SIGN
VERIFY
Address Src = My address!
Prefix Interface-id =
Computes Address
Page 33
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Router R
host
Certificate Authority CA0 Certificate Authority
Certificate C0
Router
certificate
request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
Page 34
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
A chain of trust is “easy” to establish within the administrative boundaries,
but very hard outside
To benefit fully from SeND, nodes must be:
Provisioned with CA certificate(s)
Time synchronized/have access to the NTP server
Have access to a CRL or OCSP server
ADMINISTRATIVE BOUNDARY
CA
Router Host
CA
Router Host
CA
Page 35
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
• Due to transition realities and lack of pervasive support for SeND:
At best there will be a mix of CGA, Router Auth. and “old” ND support
More likely, a small number of SeND capable nodes lost in the middle of many non-capable.
• This has almost no value because it’s a 2 player games: nodes with no SeND / CGA support can’t verify SeND / CGA credentials!
Page 36
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Trustee
Move to a different deployment model?
Page 37
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 41
Page 38
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
host
router
time server
web server
Trusted end-nodes
un-trusted end-nodes
attacker
DHCP server/relay
• Distributed: security verified between any pair of nodes
• Centralized: security verified between each node and the central switch
Page 39
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Advantages
– No central administration, no central operation
– No bottleneck, no single-point of failure
– Intrinsic part of the link-operations
– No tying up to the L2 infra
– Load distribution
• Disadvantages
– Heavy provisioning of end-nodes
– Only provisioned end-nodes are protected
– Tied up to nodes capability
– Bootstrapping issue
– Complexity spread all over the domain Provisioning Infrastructure
Configuration Server
DHCP Server
Time Server
Certificate Server
Hosts
L2/link Infrastructure
Internet
Page 40
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
• Advantages
– central administration, central operation
– Complexity and provisioning limited to first hop
– All nodes protected
– Transitioning much easier
• Disadvantages
– Applicable only to certain topologies
– Requires first-hop to learn about end-nodes
– First-hop can be a bottleneck and single-point of failure
Provisioning Infrastructure
Configuration Server
DHCP Server
Time Server
Certificate Server
Hosts
L2/link Infrastructure
Page 41
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
WHAT IS IT?
• Takes care of all nodes security, primarily from a link-operations standpoint
• Leverages information gleaned by snooping link-operations
• Arbitrates between different address assignment methods, different protocols, different nodes, different ports, etc.
REQUIREMENTS
• Must be “in the centre” or part of the security perimeter
• Requires some provisioning
• Must be versatile (NDP, SeND, DHCP, MLD, etc.)
Page 42
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
First Hop Security (FHS)
FHS
FHS FHS
Page 43
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 47
Page 44
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Option = Prefix, lifetime
RS
RA
Use B as default gateway
• Find default/first-hop routers
• Discover on-link prefixes => which destinations are neighbors
• Messages: Router Advertisements (RA), Router Solicitations (RS)
B A
Page 45
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Node A sending off-link traffic to C
• Attacker tricks victim into accepting him as default router
• Based on rogue Router Advertisements
• The most frequent threat by non-malicious user
Src = C’s link-local address
Dst = All-nodes
Data = router lifetime, autoconfig flag
Options = subnet prefix, slla
RA
B
Src = B’s link-local address
Dst = All-nodes
Data = router lifetime=0
RA
C A
Page 46
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Stateless, based on prefix information delivered in Router Advertisements
Messages: Router Advertisements, Router Solicitations
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Options = Prefix X,Y,Z, lifetime
RS
RA
Source traffic with X::x, Y::y, Z::z
Computes X::x, Y::y, Z::z and DAD them NS
Page 47
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
C
• Attacker spoofs Router Advertisement with false on-link prefix
• Victim generates IP address with this prefix
• Access router drops outgoing packets from victim (ingress filtering)
• Incoming packets can't reach victim
Node A sourcing off-link traffic to B with BAD::A
Src = B’s link-local address
Dst = All-nodes
Options = prefix BAD, Preferred lifetime
RA
B
B filters out BAD::A
Computes BAD::A and DAD it
Src = B’s link-local address
Dst = All-nodes
Options = prefix X Preferred lifetime = 0
RA
Deprecates X::A
A
Page 48
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
• Resolves IP address into MAC address • Creates neighbor cache entry
Messages: Neighbor Solicitation, Neighbor Advertisement
NS
NA
A and B can now exchange packets on this link
B A C
ICMP type = 135 (Neighbor Solicitation)
Src = A
Dst = Solicited-node multicast address of B
Data = B
Option = link-layer address of A
Query = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B
Option = link-layer address of B
Page 49
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
• Attacker can claim victim's IP address
B
NS Dst = Solicited-node multicast address of B
Query = what is B’s link-layer address?
Src = B or any C’s IF address Dst = A
Data = B Option = link-layer address of C
NA
A C
Page 50
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
• Verify address uniqueness
• Probe neighbors to verify nobody claims the address
Messages: Neighbor Solicitation, Neighbor Advertisement
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already?
NS
Node A can start using address A
B A C
Page 51
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
• Attacker hacks any victim's DAD attempts
• Victim can't configure IP address and can't communicate
Src = UNSPEC
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already? NS
Src = any C’s IF address Dst = A
Data = A Option = link-layer address of C
NA “it’s mine !”
C A
Page 52
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 56
Page 53
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
DHCP Attack ARP Attack IP Spoof Attack
RA Attack STP Attack CPU Attack
DHCP Snooping
Dynamic ARP Inspection
IP Source Guard
RA Guard
BPDU Guard
Control Plane Policing
MiTM
DoS
Page 54
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
• For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf
Page 55
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
IPv6 FHS
IPv6
Binding Integrity
Guard
IPv6
RA Guard
IPv6
DHCP Guard
IPv6
Source Guard
IPv6
Destination Guard
• Integrity protection
for FHS binding
table
• Protection against
IPv6 address theft
• Protection against
MiM Attacks
• Protection against
rouge or malicious
Router
Advertisement
• Protection against
MiM & DoS attacks
• Rejects invalid
DHCP Offers
• Validate source
address or prefix
• Protects against
source address
spoofing
• Validates
destination address
of IPv6 traffic
reaching the link
• Protects against
scanning or DoS
attacks
Page 56
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
• If IPv6 RA Guard is not available...
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
Page 57
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
host
Router Advertisement Option: prefix(s)
“I am the default gateway”
?
• Configuration- based • Learning-based • Challenge-based
Verification succeeded ?
Bridge RA
• Switch selectively accepts or rejects RAs based on various criteria • Can be ACL based, learning based or challenge (SeND) based • Hosts see only allowed RAs, and RAs with allowed content
Page 58
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
• Extension headers chain can be so large that it is fragmented!
• Finding the layer 4 information is not trivial in IPv6
Skip all known extension headers
Until either known layer 4 header found => SUCCESS
Or unknown extension header/layer 4 header found... => FAILURE
Or end of extension headers => FAILURE
IPv6 hdr HopByHop Routing Destination Destination Fragment1
IPv6 hdr HopByHop Fragment2 ICMP Data
Layer 4 header is
in 2nd fragment
Page 59
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
host
Binding table
Address
glean
– Arbitrate collisions, check ownership
– Check against max allowed per box/vlan/port
– Record & report changes
Valid?
bridge
Page 60
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
H1
Binding table
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 STALE
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
A3 MACH3 100 P3 STALE
H2 H3
Address glean
DAD NS [IP source=UNSPEC, target = A1]
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACH1]
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 REACH
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
– Keep track of device state
– Probe devices when becoming stale
– Remove inactive devices from the binding table
– Record binding creation/deletion/changes
Page 61
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
H1
Binding table
NS [IP source=A1, LLA=MACH1]
DHCP-
server
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
H2 H3
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3]
NA [IP source=A1, LLA=MACH3]
IPv6 MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Page 62
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
H1
Binding table IPv6 MAC VLAN IF
A1 MACA1 100 P1
A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
H2 H3
Address glean
– Allow traffic sourced
with known IP/SMAC
– Deny traffic sources
with unknown IP/SMAC
P1:: data, src= A1, SMAC = MACA1
P2:: data src= A21, SMAC = MACA21
P3:: data src= A3, SMAC = MACA3
P3 ::A3, MACA3
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Page 63
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
host
Forward packet
• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry
Lookup D1
found
B
NO
L3 switch
Src=D1
Internet
Address glean Scanning
{P/64}
Src=Dn
Binding table Neighbor cache
Page 64
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
host
Binding table
DHCP REQUEST
DHCP REQUEST + Interface-ID option
DHCP REPLY+ Interface-ID option
DHCP REPLY
Stores binding
DHCP-
server
Page 65
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
• ~5,000 MAC addresses seen
• ~75% MAC addresses dualstack: had both IPv4 and IPv6
• Multi-subnet CAPWAP: need multicast routing Else: no RA reaches the client, hence no IPv6
• Needed to tune the timers aggressively: 3 minutes iPad / iPhone create new address every time they join the net The limit of 8 addresses is not enough!
Page 66
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
• IPv6 FHS
• IPv4 FHS
Page 67
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
• Control Plane Policing (CoPP): Protect the Control Plane of a network device from DoS attacks
• STP toolkit (Root Guard, BPDU Guard). Safeguard the STP from misconfiguration and malicious attacks
• Best Practices about Infrastructure Security available
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Page 68
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Page 69
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 81
Page 70
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Dynamic ARP
Inspection
DHCP Snooping
IP Source Guard
IPv6 RA Guard Smart Logging
NetFlow IOS Sensor
Monitor Mode IEEE 802.1X
MACSec
Enforce Monitor
Enforce
And
Monitor
IPv6 DHCP Guard
IPv6 Binding Integrity Guard
IPv6 Src/Dst Guard
Page 71
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Page 73
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
• Thank you!
• Please complete the post-event survey.
• Join us June 6 for our next webinar:
Deploying Application Visibility and Control Policies
To register, go to www.cisco.com/go/iosadvantage
Page 74
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 86
Page 75
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Cisco IOS Software Platforms Catalyst 6500 Catalyst 4000 Catalyst 2K/3K 2K IOS LAN
Lite
IEEE 802.1Xauthentication 12.1(13)SE 12.2(40)SG 12.2(25)SEA 12.2(25)SEA
MAC Authentication Bypass 12.2(33)SXH 12.2(44)SG 12.2(25)SEE 12.2(37)EY
Local Web Authentication 12.2(33)SXH 12.2(40)SG 12.2(35)SEE No
Flexible authentication 12.2(33)SXI 12.2(50)SG 12.2(50)SE No
802.1X with Open Access 12.2(33)SXI 12.2(40)SG 12.2(50)SE No
Multi-auth 12.2(33)SXI 12.2(40)SG 12.2(50)SE No
Multi-domain Auth (MDA) 12.2(33)SXI 12.2(44)SG 12.2(35)SEE No
NEAT 12.2(33)SXJ 12.2(54)SG 12.2(52)SE No
MACSec endpoint (downlink) encryption No Sup7E + 4748LC 12.2(53)SE1 (3K-X) No
MACSec uplink encryption
VLAN assignment 12.1(13)E 12.2(44)SG 12.2(25)SEA 12.2(37)EY
MDA with dynamic Voice VLAN
assignment
No 12.2(52)SG 12.2(40)SE No
Guest VLAN, Auth-Fail VLAN 12.2(33)SXH 12.2(40)SG 12.2(25)SED 12.2(37)EY
User Distribution 12.2(33)SXI1 12.2(54)SG 12.2(52)SE No
Downloadable ACL 12.2(33)SXI 12.2(40)SG 12.2(50)SE No
RADIUS Change of Authorization 12.2(33)SXI4 12.2(54)SG 12.2(52)SE No
Multiauth with VLAN assignment ? 15.0(2)SG 12.2(55)SE No
Wake-on-LAN (WoL) 12.2(33)SXI 12.2(40)SG 12.2(25)SEC No
Inactivity timer (MAB and 802.1x) 12.2(33)SXI 12.2(40)SG 12.2(50)SE
CDP 2nd port disconnect 12.2(33)SXI 12.2(40)SG 12.2(50)SE No
Integration with DAI, IPSG, port security 12.2(33)SXI 12.2(40)SG 12.2(25)SEA 12.2(37)EY
MAC Move/MAC Replace 12.2(33)SXI4 12.2(54)SG 12.2(55)SE No
Critical Data VLAN (IAB) 12.2(33)SXH 12.2(40)SG 12.2(50)SE No
Critical Voice VLAN 12.2(33)SXJ1 15.0(2)SG 15.0(1)SE No
Combine these
features for easier
deployments with
“Monitor Mode”
Most competitive switches lack
these features that make 802.1X
deployable. Make sure your
customer includes them in RFP.
Page 76
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
2K 3K 4K 6K
DHCP
Snooping
Y Y Y Y
Dynamic Arp
Inspection
Y Y Y Y
IP Source
Guard
Y Y Y Y
BPDU Guard Y Y Y Y
RA Guard 15.0(2)SE
‘Nile’, 2960S
only
15.0(2)SE
‘Nile’ (E and
X)
12.2(54)SG 12.2(33)SXI4
Control
Plane
Policing
N N Y Y
Page 77
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
2K 3K 4K 6K
Smart
Logging
No 12.2(58)SE
IOS Sensor 15.0(1)SE* 15.0(1)SE*
Oct 2011 No
Netflow No With uplink
module
Sup 7
Monitor
Mode
12.2(50)SG
12.2(50)SG 12.2(50)SE 12.2(33)SXI
*Full functionality requires ISE 1.1
Page 78
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
What is specific with IPv6 in the layer-2 domain? More addresses!
• More end-nodes allowed on the link (up to 264 !)
• More states (neighbor cache, etc.) on hosts routers and switches.
• May lead to some dramatic topology evolution.
• Creates new opportunities for DoS & MiM attacks
What else? Link-operations protocol(s): IPv6 = Neighbor Discovery
• More distributed and more autonomous operations
• Nodes discover automatically their default router.
• Nodes auto-configure their addresses
• Nodes can defend themselves (SeND)
Page 79
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
• SeND is NOT a new protocol
• SeND is “just” an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.)
• Therefore ND+SeND remains a protocol operating on the link
• SeND is a distributed mitigation mechanism
• SeND does not provide any “end-to-end” security
• SeND specified in RFC3971 and RFC3972
Page 80
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
• Very powerful, the RA guard multicast group is built with ports which have the RA guard feature configured and a device-role of "router" or "monitor”. Only switch only ports belonging to the RA guard multicast group will receive RS messages.
Interface Ethernet0/0
ipv6 nd router-preference high
switch(config)# ipv6 nd raguard limited-broadcast