Solved: Opinions on a simple switch security templete

Andy White · ‎04-16-2013

Hello,

I going to be locking down a remote sites LAN as currently it has no real security implemented, any suggestions would be most welcome, as I want to stop man in the middle attacks (mac spoofing), DHCP servers being installed on untrusted ports. I want to create a template I can use for all other offices. This what I plan to do:

They have 4 3750s:

I have already configured:

SSH
Added an ACL for remote management and SNMP
Shutdown unused ports
use nonegotiate on trunk ports to turn off DTP (stop VLAN hopping)
Make all user ports access ports (again turn off DTP)
Enable portfast on access ports
Enable BPDU guard on access ports

Should I put unused port into a "black-hole" VLAN?
The sites have PC and laptops so users my move around, so do I use sticky ports or just lock the port down to a say 5 mac addresses allowed only? What do you do?
If BPDU Guard is enabled I guess there is no point in enabling root guard
I am thinking of enabling DHCP snooping (tested in a lab)
I am thinking of enabling DAI (tested in a lab)
Was going to turn off CDP, but we will be putting in VOIP at some point.

Not really to do with security but VTP is enabled with pruning.

Thanks

paul driver · ‎04-16-2013

Hello

Should I put unused port into a "black-hole" VLAN? - create an unused vlan and assign all unused ports to this - NOT vlan 1
The sites have PC and laptops so users my move around, so do I use sticky ports or just lock the port down to a say 5 mac addresses allowed only? What do you do? - see below
If BPDU Guard is enabled I guess there is no point in enabling root guard -Root guard is to protect from any stp state changes - bpduguard - protects against any stp ( apply guard on ports you dont want to become root (ie on desg ports on the cores switches)
I am thinking of enabling DHCP snooping (tested in a lab) - makes sure all switch interconnects are trusted
I am thinking of enabling DAI (tested in a lab) - as per 4
Was going to turn off CDP, but we will be putting in VOIP at some point.- disable cdp globally and enable on specific port when required - ( also if introducing LAN qos dont forget to change cos-dscp mapping to incorporate the different mapping that default between ip phone and cisco switch - ( different post required)

Not really to do with security but VTP is enabled with pruning - Use vtp3 (if applicable) and apply passwords ( option to hide them in Vtp 3

2)

int x/x ( protects against unauthorized hubs/switches)

switchport host (disable cdp - access port)
switchport port-security maximum 1

switchport port-security aging type inactivity

switchport port-security violation shutdown

spanning-tree portfast bpduguard enable

Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎04-16-2013

Hello

Should I put unused port into a "black-hole" VLAN? - create an unused vlan and assign all unused ports to this - NOT vlan 1
The sites have PC and laptops so users my move around, so do I use sticky ports or just lock the port down to a say 5 mac addresses allowed only? What do you do? - see below
If BPDU Guard is enabled I guess there is no point in enabling root guard -Root guard is to protect from any stp state changes - bpduguard - protects against any stp ( apply guard on ports you dont want to become root (ie on desg ports on the cores switches)
I am thinking of enabling DHCP snooping (tested in a lab) - makes sure all switch interconnects are trusted
I am thinking of enabling DAI (tested in a lab) - as per 4
Was going to turn off CDP, but we will be putting in VOIP at some point.- disable cdp globally and enable on specific port when required - ( also if introducing LAN qos dont forget to change cos-dscp mapping to incorporate the different mapping that default between ip phone and cisco switch - ( different post required)

Not really to do with security but VTP is enabled with pruning - Use vtp3 (if applicable) and apply passwords ( option to hide them in Vtp 3

2)

int x/x ( protects against unauthorized hubs/switches)

switchport host (disable cdp - access port)
switchport port-security maximum 1

switchport port-security aging type inactivity

switchport port-security violation shutdown

spanning-tree portfast bpduguard enable

Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-16-2013

Hi,

Thanks for you quick and great reply, here is my response

1.) Do you normally put shutdown ports also into a unroutable (black-hole) vlan or just leave them as administrativiely down?

2.) so you set ports as hosts ports instead of access ports and only allow 1 mac address which will clear from the mac table after 150 seconds?

3.) So BPDU guard will cover host ports from and STP change either root or some other type? Use root guard on trunk ports from root switch (designated)?

4.) Sure on trunks I have to make these trusted and any official DHCP server ports. I think I have had to use the option 82 before too, I need to check my notes.

5.) Will disbale CDP globally and enable on specific ports only (VOIP)

Thanks

Leo Laohoo · ‎04-16-2013

You've got 3750? Investigate auto smartport (ASP) or use 802.1x.

Beats the heck out of "shutdown un-used ports". I've seen this line before and I've seen it being implemented for only a few months.

Andy White · ‎04-16-2013

Hey Leolaohoo,

THese are 3560's, I've used 802.1x for port security, but never managed to get Win XP/7 to seamlessly authenticate using Windows Radius/ Active Directory. I have got it working where the user puts in a radius username and password and it authenticates them then they can have to log into the Domain using their AD credentials. I'm sure there is a way so their AD credentials can do it all.

paul driver · ‎04-16-2013

Hello,

1) most secure method - so if the port was acidently enabled it wont allow access to anythiing

2)NO - these are access port with addtional port-security enabled

3) Correct - and on switch ports you dont want tha port to become a root port for another switch

Note: the most secure method on tying down your lan is to implements 802.1x port based authentication (IBNS -identiry based network services)

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-16-2013

Hi,

1.) Great I understand.

2.) A Typical port looks like this, so if I just enable the host option will that be ok?

interface FastEthernet0/4

switchport mode access

spanning-tree portfast

spanning-tree bpduguard enable

3.) 802.1x is great, I got this working in my home lab, but just couldn't get it to work at work using our Windows 2008 NPS Radius server which talks to our Active Directory. I wanted users to be able to get to their control-alt-delete screen and log in once using their Active Directory credentials only.

I just want to create a template to use everywhere, maybe 802.1x is a phase 2.

paul driver · ‎04-16-2013

Hello,

Sorry misunderstood - the switchport host command is an in bult macro puts port into access mode apply's portfast with channel-group disabled.

Your port config is fine- just add the port-security as stated above.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-16-2013

Thanks, This what I did, you are right about the host option, I create a new vlan for the un-used ports called Vlan 666 it is not an SVI:

3560_1(config-if)#switchport host

switchport mode will be set to access

spanning-tree portfast will be enabled

channel group will be disabled

interface FastEthernet0/1

switchport access vlan 666

switchport mode access

shutdown

spanning-tree portfast

spanning-tree bpduguard enable

sh vlan bri

666 Black-hole active Fa0/1

Hope fully this looks ok to you? Lots of work to do for me at many sites, but exciting.

Andy White · ‎04-16-2013

Forgot to ask what is this doing?

Is it allowing 1 user only then when Idle shutdown?

2)

int x/x ( protects against unauthorized hubs/switches)

switchport host (disable cdp - access port)
switchport port-security maximum 1

switchport port-security aging type inactivity

switchport port-security violation shutdown

spanning-tree portfast bpduguard enable

Automatically recovers from a voilation and ages out mac address on port
errdisable recovery cause bpduguard
errdisable recovery cause psecure-violation
errdisable recovery interval 150

paul driver · ‎04-16-2013

Hello

It allows only one mac-address per port (protects against hubs which dont have bpdu's ) and if an violation occurs it will errdisable

Bpuguard for unauthorized switches ( which send bpdu's)

In either case the ios will then try to re enable the port every 150 seconds if violation has ceased,

regards to the mac security, if port has been idle the associated mac address will age out will port will be able to receive a new host.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-16-2013

Thanks,

Looks like one port has a hub, so i will have to leave that port. Problem is we have a few laptop users that hot desk (move around), so one mac address may be difficult, unless I can lock the port down to 1 address and this ages out when the computer disconnects?

paul driver · ‎04-17-2013

Andy

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-17-2013

Just one think as I'm being dense today, regarding the mac-address security.

If 1 port is locked down to 1 mac address how long will it be before a new user can use that port? I'm just think if a roaming laptop user goes home and the next day or in the next 10 mins someone plugs their own laptop in and they can't access the network.

Would allowing 2 mac address be best or 1 only and age out after a min or 2? I just wnat to stop mac flooding.

Kind regards

Andy White · ‎04-19-2013

Hello,

I'm going to use this:

int x/x ( protects against unauthorized hubs/switches)

switchport host (disable cdp - access port)
switchport port-security maximum 1

switchport port-security aging type inactivity

switchport port-security violation shutdown

spanning-tree portfast bpduguard enable

So when a user unplugs their laptop how long will it be before a new user can use that port?

Thanks