Recently I was watching a live online web translation taken from an annual event where telecommunications specialists from all over the country gather in one place and share their experience. There were many topics at the conference but I decided to make a brief summary of the one called “Access Switch Security Configuration Principles in ISP Networks”. Here is the outline for securing access switches.
Address allocation options:
- Static IP/MAC port binding. The drawback for this is frequent user calls to tech support to change bindings.
- DHCP (DHCP Snooping + DAI on access switch or static ARP on the router).
Broadcast domain security
|DHCP||Risk: DHCP Spoofing|
Protection: ACL UDP/67, SNMP trap
|ARP||Risk: ARP spoofing where a user intentionally or by accident assigns the gateway IP address to his PC, which replies to requests with its own MAC address.|
Protection: ARP inspection, CVLAN (Customer VLAN), Private VLAN
|NetBIOS||Risk: Virus spread, windows share uncontrolled traffic, data theft from neighbours.|
Protection: ACL (port 135-139, 445), CVLAN, Private VLAN
|Bonjour, DLNA, UPNP, etc||Risk: Virus spread, uncontrolled traffic, data theft from neighbours.|
Protection: CVLAN, Private VLAN, ACL – worst choice because of many protocols used by these technologies.
Loop-detect must be used within shared VLANs. SNMP traps have to be sent to monitoring center.
Storm control security
Storm control security includes broadcast, multicast, unknown unicast.
|Broadcast||Broadcast optimal control parameters: 10 pps / 32 kbit/s|
Security measures: port shutdown, drop traffic (preffered), SNMP-trap
Consequences if measures not taken: high CPU level at access and aggregation (as the result – throughput deterioration of DHCP, IGMP packets, control packets), data channels experience higher levels of traffic.
|Multicast||Consequences if measures not taken: high CPU load at access and aggregation switches, multicast tables overloaded at access level, nnnecessary traffic|
Protection: ACL (except join/leave, query/report), CVLAN, MVR, Private VLAN
|IPTV protection||Risk: IGMP v2 doesn’t look at multicast SRC-IP.|
Protection: ACL on IGMP join / IGMP auth, MVR, check IGMP leave, IGMP fast-leave.
CPU security and protection
- CPU access filter (ARP, IGMP, ping, ports)
- Control Plane Policing / safeguard
- Separate administrative VLAN
- Hardware MAC learning, switching, aging
- Port-security (max MAC)
If used L2-redundancy, then applicable protection is STP edge ports, STP root guard, ERPs/REP/SEP ACL on user access ports.
Protection: drop CoS/ToS markings from users on access ports (trust goes to aggregation switches only), use only 3-4 classess of traffic, use ACLs to set markings for Internet traffic, telephony, LAN, etc.
RED is better to turn off so that users don’t complain about ICMP packets (pings) drop-offs.
Control plane security
Protection: SNMP with ACLs accessible from uplink ports in the VLAN, SNMP v3 authentication with encryption, HTTPS, SSH.By privilege15