802.1X Authentication Using EAP

• Switches can use IEEE 802.1X to perform user authentication.
• User authentication requires the user to supply a username & password, verified by a RADIUS server, before the switch will enable the switch port for normal user traffic.
• IEEE 8802.1X defines some of the LAN user authentication, but it also uses the Extensible Authentication Protocol (EAP).
• EAP: an internet standard (RFC 3748), as the underlying protocol used for authentication.
• EAP also provides One-time passwords (OTPs).

IP Source Guard

• It add one more check to the DHCP snooping logic.
• When enabled along with DHCP snooping, IP Source Guard checks the source IP address of received packets against the DHCP snooping binding database.
• It checks both the source ip & source MAC address against that same database.
• If the entries do not match, the frame is filtered.
• ip verify source
• to check source ip address only
• ip verify source port-security
• check both the source ip & MAC address
• ip source binding mac-address vlan vlan-id ip-address interface interface-id
• Global command to create static entries that will be used in addition to the DHCP snooping binding database.
• 
  

DCHP Snooping Commands

Command	Purpose
ip dhcp snooping vlan vlan-range	Global command to enable DHCP snooping for one or more VLANs
[no] ip dhcp snooping trust	Interface command to enable or disable a trust level on an interface;
Ip dhcp snooping binding mac-addre vlan vlan-id ip-addre interface interface-id expiry seconds	Global command to add static entries to the DHCP snooping binding database
Ip dhcp snooping verify mac-address	Global command to add static entries to the DHCP snooping binding database
Ip dhcp snooping limit rate rate	Sets the maximum number of DHCP messages per second to mitigate DoS attack.

DHCP Snooping: Logical steps for Filtering

• It filters all messages sent exclusively by DHCP servers.
• The switch checks DHCP release & decline messages against the DHCP snooping binding table.
• if the IP address in those messages is not listed with the port in the DHCP snooping binding table, the messages are filtered.
• Optionally, it compares  a DHCP request's client hardware address value with the source MAC address inside the Ethernet frame.

The 1st one takes care of the fake DHCP server man-in-the-middle attack.

The 2nd one prevents an attacking host from releasing a legitimate host's DHCP lease, then attempting to request an address and be assigned the same ip address

DHCP Snooping

• DHCP snooping prevents the damage inflicted by several attacks that use DHCP.
• DHCP snooping causes a switch to examining DHCP messages & filter the inappropriate.
• DHCP snooping builds a table of IP address & port mappings
• this table builds based on the known DHCP messages
• this table is called the  DHCP snooping binding table.
• This DHCP snooping binding table can be used by DAI & IP source Guard feature.
• DHCP snooping defeats certain attacks (man in the middle attack using DHCP) by considering port as untrusted.
• All DHCP messages on trusted ports are only allowed by DHCP snooping.
• To this DHCP clients should exist on untrusted ports.
• As a result, the switch filters incoming DHCP messages that are only sent by servers.
• From design point of view unused & unsecured user ports would be configured as untrusted to DHCP snooping.
• DHCP snooping examine the DHCP client messages on untrusted ports because other attacks can be made using DHCP client messages.
• DHCP servers identify clients based on their client hardware address as listed in the DHCP request.
• 
  

DAI Commands

Command	Purpose
Ip arp inspection vlan vlan-range	Global command to enable DAI on this switch for the specified VLANs
[no] ip arp inspection trust	Interface subcommand that enable or disable DAI on the interface.
Ip arp inspection filter arp-acl-name vlan vlan-range [static]	Global command to refer to an ARP ACL that defines static IP/MAC address to be checked by DAI for that VLAN (step-2)
Ip arp inspection validate {[src-mac] [dst-mac] [ip]}	Enables additional optional checking of ARP messages (per step 3-5) in the preceding list)
Ip arp inspection limit {rate pps [burst interval seconds] | none }	Limits the ARP message rate to prevent DoS attacks carried out by sending a large number or ARPs.

• DAI automatically sets a limit of 15 ARP messages per port per second to mitigate that risk
• ip arp inspection limit  uses to change these default value
  

DAI logical Steps in finding inappropriate messages

• If an ARP reply lists a source ip address that was not DHCP assigned to a device off that port, DAI filters the ARP reply.
• DAI also uses a list of statically defined IP/MAC address combinations for comparision.
• For a recievied ARP reply, 
• DAI compares the source MAC address in the ethernet header to the source MAC address in ARP message.
• These MACs should be equal in normal ARP replies.
• If they are not, DAI filters the ARP message.
• Like in above step DAI compares the destination Ethernet MAC and the target MAC listed in the ARP body.
• DAI checks for unexpected IP addresses listed in the ARP message, such as 0.0.0.0, 255.255.255.25, multicasts, & so on.

Dynamic ARP Inspection (DAI)

• Switch uses DAI to prevent certain types of attacks.
• To do this switch, can effectively uses the IP ARP messages.
• ARP message includes 4 important addressing fields:
• Source MAC & IP address of the sender of the message
• Target MAC & IP address
• Gratuitous ARPs:
• Gratuitous ARP occurs when a host sends an ARP reply, without even seeing an ARP request, & with a broadcast destination Ethernet address.
• DAI defeat ARP attack by examining the ARP messages & then filter out the inappropriate messages.
• DAI considers each switch port to be either untrusted (the default) or trusted.
• DAI perform messages on untrusted ports only.

Port Security Config Commands

Command	Purpose
Switchport mode { access | trunk}	Port security requires that the port be statically set as either access or trunking
Switchport port-security [maximum value}	Enables port security on an interface & optionally defines the number of allowed MAC addresses on the port (default 1)
Switchport port-security mac-address mac-addres [vlan {vlan-id| {access | voice}}	Statically defines an allowed MAC address, for a particular VLAN (if trunking), & for either the access or voice VLAN
Switchport port-security mac-address sticky	Tells the switch to remember the dynamically learned MAC address
Switchport port-security [aging] [violation {protect | restrict | shutdown}]	Define the aging timer & actions taken when a violation occurs.

Port Security

• Switch port security monitors a port to restrict the number of MAC addresses associated with that port in the layer 2 switching table.
• Also possible to make only certain mac addresses only reach the Port.
• Key features of Port Security:
• Limiting the number of MACs  that can be associated with the port.
• This limiting of MACs will be done based on following 3 methodes:
• Static configuration of the allowed MAC addresses.
• Dynamic learning of MAC addresses, up to the defined maximum, where dynamic entries are lost upon reload
• Dynamically learning but with the switch saving those entries in the configuration (called sticky learning)
• 
  

Layer 2 Security

• general characterizations of the switch ports:
• unused ports: which are not connected to any device
• user ports: ports cabled to end user devices
• trusted ports or trunk ports: ports connected to fully trusted devices, like connected other known secured switches.
• Securing Used & Unused ports:
• Disable unneeded dynamic protocols like CDP & DTP.
• Disable trunking by configuring these ports as access ports.
• Enable BPDU Guard & Root Guard to prevent STP attacks & keep a stable STP technology.
• Use either dynamic ARP inspection (DAI) or private VLANs to prevent frame sniffing.
• Enable port security to at least limit the number of allowed MAC addresses, & possibly restrict the port to use only specific MAC addresses
• Use 802.1X user authentication.
• Use DHCP snooping & IP source Guard to prevent DHCP DoS & man in the middle attacks.
• Cisco SAFE blueprint made additional recomendations:
• For any port (including trusted ports), consider the general use of private VLANs to further protect the network from sniffing, including preventing routers or L3switches from routing packets between devices in the private VLAN.
• Configure VTP authentication globally on each switch to prevent Dos attacks.
• Disable unused switch ports & place them in an unused VLAN.
• Avoid using VLAN 1.
• For trunks, do not use the native VLAN.
• Limiting the actual MAC address associated with the port, based on three methods:
• Static configuration of the allowed MAC addresses
• Dynamic learning of MAC addresses, up to the defined maximum, where dynamic entries are lost upon reload.
• Dynamically learning but with the switch saving those entries in the configuration( called sticky learning)

PPP security

• PPP: Point to Point Protocol is a network protocol that allow data communication between two network points or entities.
• 
  
• PPP provides the capability to use PAP & CHAP for authentication.
• Which is particularly useful for dial applications.
• The default authentication method for CHAP/PAP is depend upon a locally configured set of username name password password commands.
• Cisco ios supports the use of AAA authentication for PPP using the same general set of commands used for login authentication.
• The configuration steps are:

Overriding the defaults for login Security

• The console, vty & aux (routers only) lines can override the use of the default login authentication methods.
• To do this, in line configuration mode, the login authentication name command

Groups of AAA servers

• By default, Cisco ios automatically groups RADIUS & TACACS+ servers configured with the radius-server host & tacacs-server host commands into groups
• The aaa authentication command includes the keyword group radius or group tacacs+ to refer to these default groups.
• By default, all defined RADIUS servers end up in the radius group, and all defined TACACS+ servers end up in the tacacs+ group.
• In case of large servers, make different sets of RADIUS or TACACS+ servers.
• servers can be grouped by name using the command
•  aaa authentication enable default group fred local
• aaa authentication login default group fred none

Authentication Methods for login & enable

METHODE	MEANING
Group radius	Use the configured RADIUS servers
Group tacacs+	Use the configured TACACS+ servers
Group name	Use a defined group of either RADIUS or TACACS+ servers
Enable	Use the enable password, based on enable secret or enable password commands
Line	Use the password defined by the password command in line configuration mode
Local	Use username commands in the local configuration (username is case insensitive but password is case sensitive)
Local-case	Use username commands in the local configuration (both username & password are case sensitive)
None	No authentication required, user automatically authenticated

Using Multiple Authentication Methods

• AAA authentication allow multiple servers & multiple authentication methods.
• So user can be authenticated even if one authentication method is not working.
• The aaa authentication command supports up to four methods on a single command.
• No limit to the number of RADIUS or TACACS+ servers that can be referenced.
• Logic used by IOS when using these methods are:
• Based on the 1st listed method first, if that methode not respond, move to the next & then next & so on until a method responds. Use the first- responding-server's decision (allow or reject).
• If no response occurs for any method, reject the request.
•