Tuesday, May 18, 2010

LAN edge switch security functions: Switch ACLs; filtering port traffic

Organizations large and small spend a lot of money buying intelligent edge switches that can do a lot more than provide base connectivity, but then they use these switches for little more than the basics. Among the functions often overlooked are LAN edge switch security features, including port-level security and switch-level access control lists (ACLs).

LAN edge switch ACLs can be an important part of in-depth defense. Just like ACLs on routers and firewalls, switch-level ACLs can filter traffic, permitting or denying access through the port. But pushing that function to the edge spreads the work out, potentially decreasing the number of rules required in other locations and the amount of traffic processed there, thus improving performance. Also, LAN edge switch ACLs can do something ACLs elsewhere can't: help protect edge devices from one another.

How LAN edge switch ACLs work

ACLs work in a straightforward way: They can be used to identify an action, which kind of traffic will be affected (the object of the action), and the sources and destinations involved.

  • Action: Options are usually limited to forwarding packets ("permit"), or blocking them from passing ("deny").
  • Object: If a switch has ACLs, it usually has at least three possibilities: all IP traffic, all TCP traffic, and all UDP traffic. Many switches offer per-port filtering for TCP and UDP as well, so that you can, for example, permit SSL traffic but block NFS.
  • Source and destination: These can always be specified with IP addresses, or ranges of IP addresses (as with an address base and mask). You may also be able to use MAC addresses and the EtherType data.

Note the melding of information from layers 2 (MAC address), 3 (IP address) and 4 (TCP/UDP ports) in ACLs. This ability to pay attention to and act on multiple layers of traffic is part of what makes intelligent switches intelligent.

ACLs are processed sequentially: Traffic is compared to each rule in turn, from top to bottom, until it hits a rule that applies to it, and then that action is taken.So, for example, to make ports on a switch useful only as thin clients running against a Citrix XenApp/XenDesktop farm, one might apply an ACL similar to this (assuming the data center net is on 192.168.100.000, mask 000.000.000.255):

  • Permit TCP any 192.168.100.000 000.000.000.255 port 1494
  • Permit TCP 192.168.100.000 000.000.000.255 any port 2598
  • Permit TCP any 192.168.100.000 000.000.000.255 port 1494
  • Permit TCP 192.168.100.000 000.000.000.255 any port 2598
  • Deny any any

Ports 1494 and 2598 are the primary ports used by ICA, Citrix's thin client protocol. Traffic bound to the data center from any IP node attached to the switch, or from the data center to any node attached to the switch, and traveling across the specified TCP ports will be permitted to pass through the switch to the edge ports or to the uplink port.

Intelligent edge switch security features: Supporting VLANs; port management

ACLs are not the only intelligent edge switch security feature. Any smart switch supports VLANs. Where ACLs are great for managing access to specific addresses or applications, VLANs are a more robust way of handling groupings of ports and controlling traffic among these groups. Also, many other security settings are available (varying by vendor and line) to perform such functions as controlling broadcast storms and limiting the MAC addresses a port will talk to.

Suppose, for example, that in your offices there is no business reason for PCs (or Macs) to talk directly to one another because, for instance, services are all provided out of the data center. To help prevent rapid spread of viruses from machine to machine, you might configure the edge switches to prevent ports from talking to one another. There are several ways to do so:

  • You can manage it with ACLs:
  1. Permit IP Any 192.168.100.000 000.000.000.255
  2. Permit IP 192.168.100.000 000.000.000.255 Any
  3. Deny IP Any 192.168.000.000 000.000.255.255
  4. Deny IP 192.168.000.000 000.000.255.255 Any
  5. Permit IP Any any

  • You can manage it with VLANs by putting every port on a unique VLAN and not propagating VLANs off the switch.
  • You can also manage it with other settings, such as making all the edge ports on a Cisco switch "protected" or using the "port-isolation" function on HP ProCurve switches.

Managing ACLs manually (like the rest of the security settings on your switches) is easy enough if you have only a few switches. The more you have, the more important it becomes to maintain a standard "golden" configuration and use automated configuration tools to maintain and audit configuration.

No comments:

Post a Comment