Wireless and Switch Security

NETSDavid Mitchell

Wireless and Switch Security

MAC Address Move Tracking

DHCP Snooping

Wireless Client Blacklist

WPA2 Authentication

MAC Address Move Tracking

This has been implemented.

Ethernet switches learn the location of MAC addresses dynamically by inspecting every packet.

This makes switches easy to configure and deploy, but provides poor security.

A client can spoof the MAC address of another client in an attempt to receive it's traffic.

MAC Address Move Tracking

As a mitigation technique, NETS logs a specific type of CAM table change.

If a packet is received which causes the port associated with a MAC address to move from one active port to another active port, the switch issues a syslog.

Logs are monitored and some entries generate email alerts.

MAC Address Move Tracking

Most of the log entries are wireless clients moving between access points. These do not generate alerts.

Any move of a prefix associated with a router generates an alert. These are the primary motivation for activating the feature.

Some other cases generate huge numbers of log entires. These generate alerts as well.

MAC Address Move Tracking

Some types of link aggregation or load balancing generate huge numbers of entries. NETS will contact you to coordinate compatible configurations for the switch and server.

Some wireless clients roam between access at excessive rates. In some cases, over 10,000 log entries in an hour. These are one motivation for the blacklist to be discussed later.

DHCP Snooping

Currently nothing prevents any machine on our network from acting as a DHCP server.

A 'rogue' DHCP server can cause problems for clients on the subnet in various ways.

DHCP snooping allows NETS to configure ports as trusted or untrusted. Only trusted ports may run DHCP servers.

It is activated on a per-VLAN basis.

DHCP Snooping

With snooping enabled, the switch actually inspects all DHCP packets on a subnet.

The switch maintains a table of all current DHCP leases. This table can be used for further security checks such as ARP inspection.

NETS has deployed DHCP snooping on the primary CISL workstation subet.

Pending CatOS upgrades, it is ready for wider adoption. NETS would like it everywhere.

Wireless Client Blacklist

NETS has had several incidents of misbehaving wireless clients.

In one case, it was a malicious client which was spoofing ARP responses.

In other cases, it has been clients with apparently buggy software which roam between access points at excessive rates.

Currently, NETS has no effective way to block such clients.

Wireless Client Blacklist

The Cisco Access Points can consult a Radius server to determine if a particular MAC address should be allowed to associate to the network.

This has been tested in the lab.

NETS would implement this as a blacklist. Unknown clients would be allowed to associate.

The major concern for NETS is how to communicate that a host has been added to the blacklist.

Wireless Client Blacklist

By definition, NETS does not know who is responsible for the laptop in these cases. If that was known, NETS would contact the user or sysadmin directly.

Possible solutions are for NETS to send an email notice to various mailing lists when a host is added, or to provide a web page listing currently blacklisted hosts.

What does NETS need to do to make sysadmins comfortable with the blacklist?

WPA2 Wireless Authentication

WPA2 is the relatively secure follow-on to WEP and WPA.

WPA2 authentication and encryption is mainstream in all major laptop operating systems.

NETS will begin testing WPA2 authentication against a FreeRadius server.

WPA2 Wireless Authentication

Is WPA2 suitable as a replacement for the guest login system? Or is it only suitable as an addition?

Is WPA2 suitable as a replacement for VPN logins for staff?

Should staff WPA2 logins utilize passwords or certificates?