Abstract image of a woman sitting on books and studying on a laptop

Mitigating Layer2 Attacks

Download as PPT, PDF
D
dkaya

Securing network switches at the layer 2 level is important to prevent various attacks. The document outlines steps to secure administrative access to switches, protect the management port, turn off unused services and interfaces, and use features like DHCP snooping, dynamic ARP inspection (DAI), port security, and VLANs to mitigate attacks like VLAN hopping, STP manipulation, DHCP spoofing, ARP spoofing, CAM table overflows, and MAC address spoofing. Following configuration best practices and securing switches at layer 2 helps strengthen network security.

1 of 41
Downloaded 174 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Applying Security Policies to Network Switches Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP
Securing LAN Devices Overview Basic Switch Operation Switches Are Targets Securing Network Access to Layer 2 LAN Switches Protecting Administrative Access to Switches Protecting Access to the Management Port Turning Off Unused Network Interfaces and Services Summary
Why Worry About Layer 2 Security? Host B Host A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical
Domino Effect If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link. MAC Addresses Physical Links IP Addresses Protocols and Ports Application Stream Compromised Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise
Switches Are Targets Protection should include: Constraining Telnet access SNMP read-only Turning off unneeded services Logging unauthorized access attempts VLANs are an added vulnerability: Remove user ports from automatic trunking Use nonuser VLANs for trunk ports Set unused ports to a nonrouted VLAN Do not depend on VLAN separation Use private VLANs
Securing Network Access at Layer 2 Follow these steps: Protect administrative access to the switch. Protect the switch management port. Turn off unused network services. Lock down the ports. Use Cisco Catalyst switch security features.
Protecting Administrative Access Two access levels: User level—accessed via Telnet or SSH connections to a switch or via the console line on the switch Privileged level—accessed after user level is established The main vulnerability arises from poor password security.
Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level ] { password | [ encryption-type ] encrypted-password } Sets a local password to control access to various privilege levels Switch(config)# Switch(config)# enable password password
Password Guidelines Use passwords at least 10 characters long Do not use real words Mix letters, numbers, and special characters Do not use a number for the first character of the password Administrators should perform these tasks: Change passwords every 90 days Make sure that the enable secret password is unique for each switch Do not use enable secret passwords for anything else on the switch
Protecting the Management Port Assign a unique account for each administrator Use a strong and unique password on every switch Set a timeout Use a banner Use OOB management
Turning Off Unused Network Services Enabled network services open vulnerabilities for these reasons: Many connections are unencrypted. Default user accounts allow unauthorized entry. Weak and shared passwords on services open doors for attackers. Extended timeouts allow hijacking.
Shutting Down Interfaces Switch(config)# interface fastethernet 0/1 Switch(config-if)# shutdown Switch(config)# interface range fastethernet 0/2-8 Switch(config-if-range)# shutdown Shuts down a single interface Shuts down a range of interfaces
Summary Layer 2 vulnerabilities often escape notice, but network security is only as strong as its weakest link. Switches are targets because they can give attackers access to an entire network. Five basic steps can mitigate Layer 2 attacks. Use passwords to protect administrative access to switches. Protect the management port by assigning unique accounts and using strong passwords, timeouts, banners, and OOB management. Turn off unused network services and interfaces.
Mitigating Layer 2 Attacks Overview Mitigating VLAN Hopping Attacks Preventing STP Manipulation Mitigating DHCP Server Spoofing with DHCP Snooping Mitigating ARP Spoofing with DAI CAM Table Overflow Attacks MAC Address Spoofing Attacks Using Port Security to Prevent Attacks Configuring Cisco Catalyst Switch Port Security Layer 2 Best Practices Summary
VLAN Hopping by Switch Spoofing Trunk Port Rogue Trunk Port An attacker tricks a network switch into believing that it is a legitimate switch on the network needing trunking. Auto trunking allows the rogue station to become a member of all VLANs. Note: There is no way to execute switch spoofing attacks unless the switch is misconfigured.
VLAN Hopping by Double Tagging The attacker sends double-encapsulated 802.1Q frames. The switch performs only one level of decapsulation. Only unidirectional traffic is passed. The attack works even if the trunk ports are set to “off”. Attacker (VLAN 10) Victim (VLAN 20) Frame Note: This attack works only if the trunk has the same native VLAN as the attacker. 802.1Q, 802.1Q 802.1Q, Frame 20 10 20 Trunk (Native VLAN = 10) Note: There is no way to execute these attacks unless the switch is misconfigured. The first switch strips off the first tag and sends it back out.
Mitigating VLAN Hopping Network Attacks Router(config-if)# switchport mode access Example 1: If no trunking is required on an interface Router(config-if)# switchport mode trunk Router(config-if)# switchport nonegotiate Example 2: If trunking is required Example 3: If trunking is required Router(config-if)# switchport trunk native vlan vlan number Disable trunking on the interface . Enable trunking but prevent DTP frames from being generated. Set the native VLAN on the trunk to an unused VLAN.
STP Attack On booting the switch, STP identifies one switch as a root bridge and blocks other redundant data paths. STP uses BPDUs to maintain a loop-free topology. X F F F F B F F F F = Forwarding Port B = Blocking Port A Root B
STP Attack (Cont.) F The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F Root B X Root F F F F B F X STP STP
Mitigating STP Attacks with bpdu-guard and guard root Commands Mitigates STP manipulation with bpduguard command Mitigates STP manipulation with guard root command IOS(config)#spanning-tree portfast bpduguard IOS(config-if)#spanning-tree guard root
Spoofing the DHCP Server An attacker activates a DHCP server on a network segment. The client broadcasts a request for DHCP configuration information. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. Client Rogue DHCP Attacker Legitimate DHCP Server
DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Trusted ports can send DHCP requests and acknowledgements. Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command Client Rogue DHCP Attacker Legitimate DHCP Server
ARP Spoofing: Man-in-the-Middle Attacks 10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B 10.1.1.2 = MAC C.C.C.C ARP Table in Host B 10.1.1.1 = MAC B.B.B.B 10.1.1.2 = MAC A.A.A.A ARP Table in Host C C IP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.1.1 bound to C.C.C.C 10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
Mitigating Man-in-the-Middle Attacks with DAI MAC or IP Tracking Built on DHCP Snooping 10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
DAI in Action A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
“Learns” by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port A 1 C 3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C “sees” traffic to MAC B. A->B A->B
CAM Learns MAC B Is on Port 2 B->A B->A MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. MAC A = host A MAC B = host B MAC C = host C
CAM Table Is Updated — Flooding Stops A->B A->B MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. CAM tables are limited in size. MAC A = host A MAC B = host B MAC C = host C MAC C does not “see” traffic to MAC B anymore.
Intruder Launches macof Utility Y->? MAC A MAC B Port 1 Port 2 Port 3 MAC C Bogus addresses are added to the CAM table. MAC Port A 1 B 2 C 3 MAC Port X 3 B 2 C 3 MAC Port X 3 Y 3 C 3 X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated.
The CAM Table Overflows — Switch Crumbles Under the Pressure The CAM table is full, so Port 3 is closed. MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port X 3 Y 3 C 3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C A->B A->B
MAC Address Spoofing Attack A A A A B B (Attacker) B Switch Port Table B DEST MAC: A DEST MAC: A Switch Port Table 1 1 1 1 2 3 2 3 2 3 2 3 Host Host Host Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC: MAC (A) SRC = Source DEST = Destination 1 1 1 1 2 2 2 2 3 3 3 3 A B C A B C A B C A,B C
Using Port Security to Mitigate Attacks Port security can mitigate attacks by these methods: Blocking input to a port from unauthorized MAC addresses Filtering traffic to or from a specific host based on the host MAC address Port security mitigates these: CAM table overflow attacks MAC address spoofing attacks
Port Security Fundamentals This feature restricts input to an interface by limiting and identifying MAC addresses of end devices. Secure MAC addresses are included in an address table in one of these ways: Use the switchport port-security mac-address mac_address interface configuration command to configure all secure MAC addresses Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices Configure some addresses and allow the rest to be configured dynamically Configure “restrict” or “shutdown” violation rules.
Port Security Configuration Secure MAC addresses are these types: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses Security violations occur in these situations: A station whose MAC address is not in the address table attempts to access the interface when the table is full. An address is being used on two secure interfaces in the same VLAN .
Port Security Defaults Shutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.) Violation mode 1 Maximum number of secure MAC addresses Disabled on a port Port security Default Setting Feature
Configuring Port Security on a Cisco Catalyst Switch Enter global configuration mode. Enter interface configuration mode for the port that you want to secure. Enable basic port security on the interface. Set the maximum number of MAC addresses allowed on this interface. Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords: shutdown restrict protect Return to privileged EXEC mode. Verify the entry.
Port Security Configuration Script Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security aging time 20 Switch(config-if)# end Use these configuration parameters: Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Enable sticky learning
Verify the Configuration Switch# show port-security interface fastethernet0/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses :50 Total MAC Addresses: 11 Configured MAC Addresses: 0 Sticky MAC Addresses :11 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0
Layer 2 Best Practices Restrict management access to the switch so that parties on nontrusted networks cannot exploit management interfaces and protocols such as SNMP. Avoid using clear text management protocols on a hostile network. Turn off unused and unneeded network services. Use port security mechanisms to limit the number of allowed MAC addresses to provide protection against a MAC flooding attack. Use a dedicated native VLAN ID for all trunk ports. Shut down unused ports in the VLAN. Prevent denial-of-service attacks and other exploits by locking down the Spanning Tree Protocol and other dynamic protocols. Avoid using VLAN 1, where possible, for trunk and user ports. Use DHCP snooping and DAI to mitigate man-in-the-middle attacks.
Summary Disabling auto trunking mitigates VLAN hopping attacks. The guard root command and the bpduguard command mitigate STP attacks. DAI can protect against man-in-the-middle attacks. To prevent DHCP attacks, use the DHCP snooping and the port security feature on the Cisco Catalyst switches. Mitigate CAM table overflow attacks with Cisco IOS software commands. Configuring port security can prevent MAC address spoofing attacks. Limiting the number of valid MAC addresses allowed on a port provides many benefits. Configure port security with Cisco IOS software commands. Following best practices mitigates Layer 2 attacks.
New Horizons' Partners

More Related Content

PPTX
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
PPTX
Packet Sniffer
vilss
 
PPTX
Vpn
malekoff
 
PPTX
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
MehtabRohela
 
PDF
Fortinet security fabric
ANSItunCERT
 
PPTX
Hardware firewall
Subrata Kumer Paul
 
PPT
Ethernet
hossam-10
 
PDF
Routage ospf
Ines Kechiche
 
Common Layer 2 Threats, Attacks & Mitigation
NetProtocol Xpert
 
Packet Sniffer
vilss
 
Vpn
malekoff
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
MehtabRohela
 
Fortinet security fabric
ANSItunCERT
 
Hardware firewall
Subrata Kumer Paul
 
Ethernet
hossam-10
 
Routage ospf
Ines Kechiche
 

What's hot (20)

PPTX
Vpn
malekoff
 
PPTX
Algoritmo rsa
David Romero
 
PPTX
Vpn exposicion
Cristy Ponciano
 
PPTX
MPLS (Multi-Protocol Label Switching)
NetProtocol Xpert
 
PPTX
Cisco ASA Firewalls
Bryley Systems Inc.
 
PPTX
Firewall
trilokchandra prakash
 
PPTX
Firewall presentation
gaurav96raj
 
PPTX
Wireless Network Security
kentquirk
 
PDF
Implantación de aplicaciones web en entornos internet, intranet y extranet.
Jomicast
 
PDF
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
PPTX
Ethical Hacking - sniffing
Bhavya Chawla
 
PDF
Cours routage inter-vlan
EL AMRI El Hassan
 
PPTX
Protocolo tcp
Universidad del Magdalena
 
PDF
VPNs sobre MPLS con Tecnología Cisco
Francisco Javier Novoa de Manuel
 
PPTX
Wireless Attacks
primeteacher32
 
PPTX
Packet sniffers
Ravi Teja Reddy
 
PDF
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
PPTX
Wifi Security
Shital Kat
 
PDF
Ataques cibernéticos: ¿Qué es el eavesdropping y cómo se previene?
Supra Networks
 
PDF
Seminar Report on Honeypot
Amit Poonia
 
Vpn
malekoff
 
Algoritmo rsa
David Romero
 
Vpn exposicion
Cristy Ponciano
 
MPLS (Multi-Protocol Label Switching)
NetProtocol Xpert
 
Cisco ASA Firewalls
Bryley Systems Inc.
 
Firewall
trilokchandra prakash
 
Firewall presentation
gaurav96raj
 
Wireless Network Security
kentquirk
 
Implantación de aplicaciones web en entornos internet, intranet y extranet.
Jomicast
 
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
Ethical Hacking - sniffing
Bhavya Chawla
 
Cours routage inter-vlan
EL AMRI El Hassan
 
Protocolo tcp
Universidad del Magdalena
 
VPNs sobre MPLS con Tecnología Cisco
Francisco Javier Novoa de Manuel
 
Wireless Attacks
primeteacher32
 
Packet sniffers
Ravi Teja Reddy
 
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Wifi Security
Shital Kat
 
Ataques cibernéticos: ¿Qué es el eavesdropping y cómo se previene?
Supra Networks
 
Seminar Report on Honeypot
Amit Poonia
 
Ad

Viewers also liked (20)

PPT
Intrusion Discovery on Windows
dkaya
 
PPT
Hacking Cisco Networks and Countermeasures
dkaya
 
PPT
Sniffing SSL Traffic
dkaya
 
PPT
Cisco Switch Security
dkaya
 
PDF
Network security
fangjiafu
 
PDF
Mcsa certification 410
Information Technology
 
PPTX
Microsoft Offical Course 20410C_10
gameaxt
 
PPTX
Network tunneling techniques
inbroker
 
PPTX
Mitigating worm attacks
dkaya
 
PPTX
Switching Tech And Data Link
anishgoel
 
PPTX
Computer Architecture
Louise Magno
 
PPTX
Finding Evil In DNS Traffic
real_slacker007
 
PPTX
Introduction to network switches
NetProtocol Xpert
 
PPTX
Security Onion Conference - 2016
DefensiveDepth
 
PPT
Network Diagram
Venzon Limpiada
 
PPTX
Network Management Devices
Rahul P
 
PDF
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
PPTX
Mastering checkpoint-1-basic-installation
networkershome
 
DOCX
Network switches, functions & role in networks
IT Tech
 
PPTX
Microsoft Days 09 Windows 2008 Security
dkaya
 
Intrusion Discovery on Windows
dkaya
 
Hacking Cisco Networks and Countermeasures
dkaya
 
Sniffing SSL Traffic
dkaya
 
Cisco Switch Security
dkaya
 
Network security
fangjiafu
 
Mcsa certification 410
Information Technology
 
Microsoft Offical Course 20410C_10
gameaxt
 
Network tunneling techniques
inbroker
 
Mitigating worm attacks
dkaya
 
Switching Tech And Data Link
anishgoel
 
Computer Architecture
Louise Magno
 
Finding Evil In DNS Traffic
real_slacker007
 
Introduction to network switches
NetProtocol Xpert
 
Security Onion Conference - 2016
DefensiveDepth
 
Network Diagram
Venzon Limpiada
 
Network Management Devices
Rahul P
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Mastering checkpoint-1-basic-installation
networkershome
 
Network switches, functions & role in networks
IT Tech
 
Microsoft Days 09 Windows 2008 Security
dkaya
 
Ad

Similar to Mitigating Layer2 Attacks (20)

PPTX
Layer Two ( 2 ) Security of Cisco switch
ssuserb1479b
 
PPT
Ch6
scary5800
 
PPT
Network Security - Layer 2
samis
 
PPSX
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
VahidMouasvi
 
PPT
Cisco Security Training on ASA and FMC.ppt.ppt
AniruddhSharma65
 
PDF
L2 Attacks.pdf
vinaykumar947680
 
PPT
CCNA Security 07-Securing the local area network
Ahmed Habib
 
PPTX
Security Concerns in LANs.pptx
joko
 
PPT
Hacking Cisco
guestd05b31
 
PPT
Cisco L3 security and CCIE training .ppt
AniruddhSharma65
 
PPTX
Layer 2 Attacks and Defense Techniques.pptx
ssuser46e032
 
PPTX
Hacking L2 Switches
Navaneetha Sankar
 
PPT
Cap2 configuring switch
Hector Camba Lainez
 
PDF
Examen final ccna2
Juli Yaret
 
PDF
Understanding and Preventing Layer 2 Attacks
Tien Dung
 
PPT
Firewall
Manikyala Rao
 
PPTX
Nexus 1000v part ii
Krunal Shah
 
PPTX
Switch security
nullowaspmumbai
 
PPT
Firewalls
hemantag
 
PPT
SAS (Secure Active Switch)
Security Date
 
Layer Two ( 2 ) Security of Cisco switch
ssuserb1479b
 
Ch6
scary5800
 
Network Security - Layer 2
samis
 
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
VahidMouasvi
 
Cisco Security Training on ASA and FMC.ppt.ppt
AniruddhSharma65
 
L2 Attacks.pdf
vinaykumar947680
 
CCNA Security 07-Securing the local area network
Ahmed Habib
 
Security Concerns in LANs.pptx
joko
 
Hacking Cisco
guestd05b31
 
Cisco L3 security and CCIE training .ppt
AniruddhSharma65
 
Layer 2 Attacks and Defense Techniques.pptx
ssuser46e032
 
Hacking L2 Switches
Navaneetha Sankar
 
Cap2 configuring switch
Hector Camba Lainez
 
Examen final ccna2
Juli Yaret
 
Understanding and Preventing Layer 2 Attacks
Tien Dung
 
Firewall
Manikyala Rao
 
Nexus 1000v part ii
Krunal Shah
 
Switch security
nullowaspmumbai
 
Firewalls
hemantag
 
SAS (Secure Active Switch)
Security Date
 

Mitigating Layer2 Attacks

  • 1. Applying Security Policies to Network Switches Deniz Kaya Microsoft, Cisco, Ironport Trainer CCSI, CCNP, MCT, MCSE, ICSI, ICSP
  • 2. Securing LAN Devices Overview Basic Switch Operation Switches Are Targets Securing Network Access to Layer 2 LAN Switches Protecting Administrative Access to Switches Protecting Access to the Management Port Turning Off Unused Network Interfaces and Services Summary
  • 3. Why Worry About Layer 2 Security? Host B Host A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical
  • 4. Domino Effect If one layer is hacked, communications are compromised without the other layers being aware of the problem. Security is only as strong as your weakest link. When it comes to networking, Layer 2 can be a very weak link. MAC Addresses Physical Links IP Addresses Protocols and Ports Application Stream Compromised Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise
  • 5. Switches Are Targets Protection should include: Constraining Telnet access SNMP read-only Turning off unneeded services Logging unauthorized access attempts VLANs are an added vulnerability: Remove user ports from automatic trunking Use nonuser VLANs for trunk ports Set unused ports to a nonrouted VLAN Do not depend on VLAN separation Use private VLANs
  • 6. Securing Network Access at Layer 2 Follow these steps: Protect administrative access to the switch. Protect the switch management port. Turn off unused network services. Lock down the ports. Use Cisco Catalyst switch security features.
  • 7. Protecting Administrative Access Two access levels: User level—accessed via Telnet or SSH connections to a switch or via the console line on the switch Privileged level—accessed after user level is established The main vulnerability arises from poor password security.
  • 8. Password Encryption Specifies an additional layer of security over the enable password command enable secret [level level ] { password | [ encryption-type ] encrypted-password } Sets a local password to control access to various privilege levels Switch(config)# Switch(config)# enable password password
  • 9. Password Guidelines Use passwords at least 10 characters long Do not use real words Mix letters, numbers, and special characters Do not use a number for the first character of the password Administrators should perform these tasks: Change passwords every 90 days Make sure that the enable secret password is unique for each switch Do not use enable secret passwords for anything else on the switch
  • 10. Protecting the Management Port Assign a unique account for each administrator Use a strong and unique password on every switch Set a timeout Use a banner Use OOB management
  • 11. Turning Off Unused Network Services Enabled network services open vulnerabilities for these reasons: Many connections are unencrypted. Default user accounts allow unauthorized entry. Weak and shared passwords on services open doors for attackers. Extended timeouts allow hijacking.
  • 12. Shutting Down Interfaces Switch(config)# interface fastethernet 0/1 Switch(config-if)# shutdown Switch(config)# interface range fastethernet 0/2-8 Switch(config-if-range)# shutdown Shuts down a single interface Shuts down a range of interfaces
  • 13. Summary Layer 2 vulnerabilities often escape notice, but network security is only as strong as its weakest link. Switches are targets because they can give attackers access to an entire network. Five basic steps can mitigate Layer 2 attacks. Use passwords to protect administrative access to switches. Protect the management port by assigning unique accounts and using strong passwords, timeouts, banners, and OOB management. Turn off unused network services and interfaces.
  • 14. Mitigating Layer 2 Attacks Overview Mitigating VLAN Hopping Attacks Preventing STP Manipulation Mitigating DHCP Server Spoofing with DHCP Snooping Mitigating ARP Spoofing with DAI CAM Table Overflow Attacks MAC Address Spoofing Attacks Using Port Security to Prevent Attacks Configuring Cisco Catalyst Switch Port Security Layer 2 Best Practices Summary
  • 15. VLAN Hopping by Switch Spoofing Trunk Port Rogue Trunk Port An attacker tricks a network switch into believing that it is a legitimate switch on the network needing trunking. Auto trunking allows the rogue station to become a member of all VLANs. Note: There is no way to execute switch spoofing attacks unless the switch is misconfigured.
  • 16. VLAN Hopping by Double Tagging The attacker sends double-encapsulated 802.1Q frames. The switch performs only one level of decapsulation. Only unidirectional traffic is passed. The attack works even if the trunk ports are set to “off”. Attacker (VLAN 10) Victim (VLAN 20) Frame Note: This attack works only if the trunk has the same native VLAN as the attacker. 802.1Q, 802.1Q 802.1Q, Frame 20 10 20 Trunk (Native VLAN = 10) Note: There is no way to execute these attacks unless the switch is misconfigured. The first switch strips off the first tag and sends it back out.
  • 17. Mitigating VLAN Hopping Network Attacks Router(config-if)# switchport mode access Example 1: If no trunking is required on an interface Router(config-if)# switchport mode trunk Router(config-if)# switchport nonegotiate Example 2: If trunking is required Example 3: If trunking is required Router(config-if)# switchport trunk native vlan vlan number Disable trunking on the interface . Enable trunking but prevent DTP frames from being generated. Set the native VLAN on the trunk to an unused VLAN.
  • 18. STP Attack On booting the switch, STP identifies one switch as a root bridge and blocks other redundant data paths. STP uses BPDUs to maintain a loop-free topology. X F F F F B F F F F = Forwarding Port B = Blocking Port A Root B
  • 19. STP Attack (Cont.) F The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F Root B X Root F F F F B F X STP STP
  • 20. Mitigating STP Attacks with bpdu-guard and guard root Commands Mitigates STP manipulation with bpduguard command Mitigates STP manipulation with guard root command IOS(config)#spanning-tree portfast bpduguard IOS(config-if)#spanning-tree guard root
  • 21. Spoofing the DHCP Server An attacker activates a DHCP server on a network segment. The client broadcasts a request for DHCP configuration information. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. Client Rogue DHCP Attacker Legitimate DHCP Server
  • 22. DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. Trusted ports can send DHCP requests and acknowledgements. Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command Client Rogue DHCP Attacker Legitimate DHCP Server
  • 23. ARP Spoofing: Man-in-the-Middle Attacks 10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B 10.1.1.2 = MAC C.C.C.C ARP Table in Host B 10.1.1.1 = MAC B.B.B.B 10.1.1.2 = MAC A.A.A.A ARP Table in Host C C IP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.1.1 bound to C.C.C.C 10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
  • 24. Mitigating Man-in-the-Middle Attacks with DAI MAC or IP Tracking Built on DHCP Snooping 10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
  • 25. DAI in Action A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
  • 26. “Learns” by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port A 1 C 3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C “sees” traffic to MAC B. A->B A->B
  • 27. CAM Learns MAC B Is on Port 2 B->A B->A MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. MAC A = host A MAC B = host B MAC C = host C
  • 28. CAM Table Is Updated — Flooding Stops A->B A->B MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. CAM tables are limited in size. MAC A = host A MAC B = host B MAC C = host C MAC C does not “see” traffic to MAC B anymore.
  • 29. Intruder Launches macof Utility Y->? MAC A MAC B Port 1 Port 2 Port 3 MAC C Bogus addresses are added to the CAM table. MAC Port A 1 B 2 C 3 MAC Port X 3 B 2 C 3 MAC Port X 3 Y 3 C 3 X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated.
  • 30. The CAM Table Overflows — Switch Crumbles Under the Pressure The CAM table is full, so Port 3 is closed. MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port X 3 Y 3 C 3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C A->B A->B
  • 31. MAC Address Spoofing Attack A A A A B B (Attacker) B Switch Port Table B DEST MAC: A DEST MAC: A Switch Port Table 1 1 1 1 2 3 2 3 2 3 2 3 Host Host Host Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC: MAC (A) SRC = Source DEST = Destination 1 1 1 1 2 2 2 2 3 3 3 3 A B C A B C A B C A,B C
  • 32. Using Port Security to Mitigate Attacks Port security can mitigate attacks by these methods: Blocking input to a port from unauthorized MAC addresses Filtering traffic to or from a specific host based on the host MAC address Port security mitigates these: CAM table overflow attacks MAC address spoofing attacks
  • 33. Port Security Fundamentals This feature restricts input to an interface by limiting and identifying MAC addresses of end devices. Secure MAC addresses are included in an address table in one of these ways: Use the switchport port-security mac-address mac_address interface configuration command to configure all secure MAC addresses Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices Configure some addresses and allow the rest to be configured dynamically Configure “restrict” or “shutdown” violation rules.
  • 34. Port Security Configuration Secure MAC addresses are these types: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses Security violations occur in these situations: A station whose MAC address is not in the address table attempts to access the interface when the table is full. An address is being used on two secure interfaces in the same VLAN .
  • 35. Port Security Defaults Shutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.) Violation mode 1 Maximum number of secure MAC addresses Disabled on a port Port security Default Setting Feature
  • 36. Configuring Port Security on a Cisco Catalyst Switch Enter global configuration mode. Enter interface configuration mode for the port that you want to secure. Enable basic port security on the interface. Set the maximum number of MAC addresses allowed on this interface. Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords: shutdown restrict protect Return to privileged EXEC mode. Verify the entry.
  • 37. Port Security Configuration Script Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security aging time 20 Switch(config-if)# end Use these configuration parameters: Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Enable sticky learning
  • 38. Verify the Configuration Switch# show port-security interface fastethernet0/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses :50 Total MAC Addresses: 11 Configured MAC Addresses: 0 Sticky MAC Addresses :11 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0
  • 39. Layer 2 Best Practices Restrict management access to the switch so that parties on nontrusted networks cannot exploit management interfaces and protocols such as SNMP. Avoid using clear text management protocols on a hostile network. Turn off unused and unneeded network services. Use port security mechanisms to limit the number of allowed MAC addresses to provide protection against a MAC flooding attack. Use a dedicated native VLAN ID for all trunk ports. Shut down unused ports in the VLAN. Prevent denial-of-service attacks and other exploits by locking down the Spanning Tree Protocol and other dynamic protocols. Avoid using VLAN 1, where possible, for trunk and user ports. Use DHCP snooping and DAI to mitigate man-in-the-middle attacks.
  • 40. Summary Disabling auto trunking mitigates VLAN hopping attacks. The guard root command and the bpduguard command mitigate STP attacks. DAI can protect against man-in-the-middle attacks. To prevent DHCP attacks, use the DHCP snooping and the port security feature on the Cisco Catalyst switches. Mitigate CAM table overflow attacks with Cisco IOS software commands. Configuring port security can prevent MAC address spoofing attacks. Limiting the number of valid MAC addresses allowed on a port provides many benefits. Configure port security with Cisco IOS software commands. Following best practices mitigates Layer 2 attacks.