Evil_TTL> show | s

Access Switch Security Configuration Principles in ISP Networks

Category:Design and Architecture

Recently I was watching a live online web translation taken from an annual event where telecommunications specialists from all over the country gather in one place and share their experience. There were many topics at the conference but I decided to make a brief summary of the one called “Access Switch Security Configuration Principles in ISP Networks”. Here is the outline for securing access switches.

Address allocation options:

  1. Static IP/MAC port binding. The drawback for this is frequent user calls to tech support to change bindings.
  2. DHCP (DHCP Snooping + DAI on access switch or static ARP on the router).

Broadcast domain security

DHCPRisk: DHCP Spoofing
Protection: ACL UDP/67, SNMP trap
ARPRisk: ARP spoofing where a user intentionally or by accident assigns the gateway IP address to his PC, which replies to requests with its own MAC address.
Protection: ARP inspection, CVLAN (Customer VLAN), Private VLAN
NetBIOSRisk: Virus spread, windows share uncontrolled traffic, data theft from neighbours.
Protection: ACL (port 135-139, 445), CVLAN, Private VLAN
Bonjour, DLNA, UPNP, etcRisk: Virus spread, uncontrolled traffic, data theft from neighbours.
Protection: CVLAN, Private VLAN, ACL – worst choice because of many protocols used by these technologies.

STP security

Loop-detect must be used within shared VLANs. SNMP traps have to be sent to monitoring center.

Storm control security

Storm control security includes broadcast, multicast, unknown unicast.

BroadcastBroadcast optimal control parameters: 10 pps / 32 kbit/s
Security measures: port shutdown, drop traffic (preffered), SNMP-trap
Consequences if measures not taken: high CPU level at access and aggregation (as the result – throughput deterioration of DHCP, IGMP packets, control packets), data channels experience higher levels of traffic.
MulticastConsequences if measures not taken: high CPU load at access and aggregation switches, multicast tables overloaded at access level, nnnecessary traffic
Protection: ACL (except join/leave, query/report), CVLAN, MVR, Private VLAN
IPTV protectionRisk: IGMP v2 doesn’t look at multicast SRC-IP.
Protection: ACL on IGMP join / IGMP auth, MVR, check IGMP leave, IGMP fast-leave.

CPU security and protection

  • CPU access filter (ARP, IGMP, ping, ports)
  • Control Plane Policing / safeguard
  • Separate administrative VLAN
  • MVR
  • Hardware MAC learning, switching, aging
  • Port-security (max MAC)

If used L2-redundancy, then applicable protection is STP edge ports, STP root guard, ERPs/REP/SEP ACL on user access ports.

QoS security

Protection: drop CoS/ToS markings from users on access ports (trust goes to aggregation switches only), use only 3-4 classess of traffic, use ACLs to set markings for Internet traffic, telephony, LAN, etc.

RED is better to turn off so that users don’t complain about ICMP packets (pings) drop-offs.

Control plane security

Protection: SNMP with ACLs accessible from uplink ports in the VLAN, SNMP v3 authentication with encryption, HTTPS, SSH.

By privilege15