Ethernet switching security

One 、 Port isolation

1. Technical background

• In order to realize the two-layer isolation between messages , Users usually add different ports to different ports VLAN, Realize the isolation of layer-2 broadcast domain . stay In large networks , There are many kinds of business requirements , Only pass VLAN Realize the two-layer isolation of messages , There will be limited waste VLAN resources
• Due to certain business needs ,PC1 And PC2 Although they belong to the same VLAN , But they are required not to communicate on the second floor （ But three layers of interworking are allowed ）,PC1 And PC3 Under no circumstances can we communicate with each other , however VLAN 3 The host in the can access VLAN 2 The mainframe in . So how to solve this problem ？

2. Overview of port isolation

• Using port isolation function , Can achieve the same VLAN Isolation between internal ports . The user just needs to add the port to the quarantine group , It can realize the isolation of layer 2 data between the ports in the isolation group . The port isolation function provides users with more security 、 More flexible networking solutions .

• The same port isolation group is isolated , But different port isolation groups can be interconnected , In other words, if you are not added to this port isolation group, you can also interweave

1.  3. Type of port isolation

• L2： Unable to communicate through layer 2 , However, three-layer communication can be carried out through routing , Isolate the broadcast message , Some are isolated to a certain extent BUM Data frame
• ALL： There is no communication between the second floor and the third floor , That is, it cannot communicate through the three layers of the routing process

Two 、MAC Address table security

1.MAC Address table entry type

• dynamic MAC Address table entry ： The interface passes through the source in the message MAC Address learning to get , The table item can be aged . Reset the system 、 After the interface board is hot swapped or reset , Dynamic table entries will be lost , The default aging time is 300s
• static state MAC Address table entry ： It is manually configured by the user and distributed to each interface board , The table item is not aging . Reset the system 、 After the interface board is hot swapped or reset , Saved table entries will not be lost . Permanently stored on the switch , Interface and MAC After address static binding , Other interfaces receive the source MAC Is that the MAC Address messages will be discarded , When such behavior occurs, exchange opportunities are considered mac Address spoofing , So I will put this mac Discard the address table
• Black holes MAC Address table entry ： Manually configured by the user , And distribute it to each interface board , Table items shall not be aged . Configure black holes MAC After the address , Source MAC Address or purpose MAC The address is MAC The message will be discarded

3、 ... and 、 Port security

1. Security mac Address type

• Security dynamic mac Address ： After the device is restarted, the table item will be lost , It will disappear after hot plugging , Need to relearn . It will not be aged by default , Only when configuring security MAC It can only be aged after aging time , If a port is turned on mac Safety features , Only one port can be learned by default mac Address
• Security static mac Address ： It's not going to age , After saving the configuration manually, the device will not be lost after restarting , Manual static binding mac Address
• Sticky MAC Address ： It's not going to age , After saving the configuration manually, the device will not be lost after restarting , Only one port can be learned by default mac Address

2. Protective action

• Restrict： Discard the source MAC Message with non-existent address and report to the police .
• Protect： Only discard the source MAC Message with non-existent address , Don't report to the police
• Shutdown： The interface state is set to error-down, And report to the police

Four 、mac Address drift prevention and detection

1. background

• MAC Address drift refers to an address on the switch VLAN There are two ports learning the same MAC Address , What I learned after graduation MAC The address table entry covers the original MAC The phenomenon of address table entries , Generally one mac Address can only allow one port to learn
• When one MAC When the address is frequently migrated between two ports , That's what happens MAC Address drift phenomenon
• Under normal circumstances , There will not be a large number of... In the network in a short time MAC Address drift . This phenomenon generally means that there is a loop in the network , Or there are cyber attacks

2. The prevention of mac Address drift

• 1. When MAC When the address drifts between the two interfaces of the switch , One of the interfaces can be MAC Address learning priority increased . High priority interfaces learned MAC The address table entry will cover the learned by the low priority interface MAC Address table entry
• 2. When forging the interface connected to the network device MAC When the address priority is the same as that of a secure network device , Forged network equipment learned after MAC The address table entry will not overwrite the previous correct table entry

5、 ... and 、 Switch flow control

1. Under normal circumstances , When a layer 2 Ethernet interface of the device receives a broadcast 、 Unknown multicast or unknown unicast message , To the same VLAN Other layer-2 Ethernet interfaces in the network forward these messages , This leads to flow flooding , Reduce device forwarding performance

Solution

• Traffic suppression can limit broadcast traffic by configuring thresholds 、 Unknown multicast 、 Unknown unicast 、 The rate of known multicast and unicast packets , Prevent broadcasting 、 Unknown multicast message and unknown unicast message generate traffic flooding , Prevent the large traffic impact of known multicast messages and known unicast messages

7.DHCP  Snooping

1.dhcp Attack Introduction

• Starvation attacks ： The attacker continued to attack in large numbers DHCP Server apply IP Address , Until it runs out DHCP Server In the address pool IP Address , Lead to DHCP Server Cannot assign to normal users , This will cause the server to fail to provide services normally , Attackers use impersonation mac Address attack software , Use different mac The address to send discover The message requests the server to assign an address , At this time, the server will also think that it is normal IP Address request , So to achieve the purpose of cheating

2. resolvent , Prevent starvation attack

• For starvation attacks , Can pass DHCP Snooping Of MAC Address restriction function to prevent . This function limits the maximum amount of learning allowed on the switch interface MAC Number of addresses , Prevent through transformation MAC Address , Send a lot of DHCP please

3.DHCP Snooping Anti change CHADDR It's worth it DoS attack

In order to avoid being changed by the attacker CHADDR Value attack , It can be configured on the device DHCP Snooping function , Check DHCP Request In the message CHADDR Field . If this field is the same as the source of the data frame header MAC Match , Forward message ; otherwise , Discard message . So as to ensure that legitimate users can normally use network services , So check the data link layer mac Is the address the same , If it's the same, you'll accept it. If it's different, you won't accept it

4.dhcp Man-in-the-middle attack

• The attacker took advantage of ARP Mechanism , Give Way Client Learning to DHCP Server IP And Attacker MAC The mapping relation of , And let the Server Learning to Client IP And Attacker Mac The mapping relation of . In this way ,Client And Server Interacting with each other IP All messages will be transferred by the attacker , The middleman took advantage of the false IP Address and MAC Mapping between addresses to cheat at the same time DHCP Client and server

terms of settlement ：

• have access to dhcp snooping technology , stay DHCP Client and DHCP Server Build a firewall between , In order to protect against DHCP All kinds of attacks

5. Counterfeiting dhcp Server attack

• Choose the best server mechanism according to the client , Which server did you receive first offer Message, then whose , If you receive a message from an illegal server , Then you will receive a wrong IP Address
  • The solution is ： Turn on the switch dhcp snooping function , Connect to dhcp The interface of is configured as a trust interface , Other interfaces are configured as untrusted interfaces , In this way, the switch will only forward those sent by the trust interface dhcp Message , For untrusted interfaces, discard them , By default , In the configuration snooping after , All interfaces belong to untrusted interfaces , You need to specify ,
  • terms of settlement ： You can also configure snooping Solve this problem , Configure the interface of the legal server as the trust interface