Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | morad-alabsy |
View: | 216 times |
Download: | 0 times |
of 22
7/30/2019 06- Securing the Local Area Network
1/22
1 2009 Cisco Learning Institute.
06- Securing the Local Area Network
Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
7/30/2019 06- Securing the Local Area Network
2/22
222 2009 Cisco Learning Institute.
IPSVPN
ACS
Firewall
WebServer
EmailServer DNS
Hosts
Perimeter
Internet
Layer 2 Security
7/30/2019 06- Securing the Local Area Network
3/22
333 2009 Cisco Learning Institute.
OSI Model
MAC Addresses
When it comes to networking, Layer 2 is often a very weak link.
Physical Links
IP Addresses
Protocols and Ports
Application StreamApplication
Presentation
Session
Transport
Network
Data Link
Physical
C
ompromised
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
7/30/2019 06- Securing the Local Area Network
4/22
444 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MACAddress:AABBcc
AABBcc 12AbDdSwitch Port
1 2
MAC Address:AABBcc
Attacker
Port 1
Port 2
MACAddress:12AbDd
I have associated Ports 1 and 2 withthe MAC addresses of the devicesattached. Traffic destined for eachdevice will be forwarded directly.
The switch keeps track of the
endpoints by maintaining aMAC address table. In MACspoofing, the attacker posesas another hostin this case,
AABBcc
7/30/2019 06- Securing the Local Area Network
5/22
555 2009 Cisco Learning Institute.
MAC Address Spoofing Attack
MACAddress:AABBcc
AABBcc
Switch Port
1 2
MAC Address:AABBcc
Attacker
Port 1 Port 2
AABBcc
1 2I have changed the MACaddress on my computerto match the server.
The device with MACaddress AABBcc haschanged locations to Port2.I must adjust my MACaddress table accordingly.
7/30/2019 06- Securing the Local Area Network
6/22
666 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
The switch can forward frames between PC1 and PC2 withoutflooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
7/30/2019 06- Securing the Local Area Network
7/22777 2009 Cisco Learning Institute.
MAC Address Table Overflow Attack
A B
C D
VLAN 10 VLAN 10
Intruder runs macofto begin sendingunknown bogus MACaddresses.
3/25
3/25 MAC X3/25 MAC Y
3/25 MAC Z
XYZ
flood
MAC Port
X 3/25
Y 3/25
C 3/25
Bogus addresses areadded to the CAMtable. CAM table is full.
Host C
The switch floods
the frames.Attacker sees trafficto servers B and D.
VLAN 10
12
3
4
7/30/2019 06- Securing the Local Area Network
8/22888 2009 Cisco Learning Institute.
MAC ADDRESS TABLEOVERFLOW ATTACK
LAB
7/30/2019 06- Securing the Local Area Network
9/22999 2009 Cisco Learning Institute.
STP Manipulation Attack
Spanning tree protocoloperates by electing aroot bridge
STP builds a tree topology STP manipulation
changes the topology of anetworkthe attacking
host appears to be theroot bridge
F F
F F
F B
Root BridgePriority = 8192MAC Address=
0000.00C0.1234
7/30/2019 06- Securing the Local Area Network
10/22101010 2009 Cisco Learning Institute.
Configure Portfast
Command Description
Switch(config-if)# spanning-
tree portfastEnables PortFast on a Layer 2 access port and forces it to
enter the forwarding stateimmediately.
Switch(config-if)# no
spanning-tree portfastDisables PortFast on a Layer 2 access port. PortFast is
disabled by default.
Switch(config)# spanning-tree
portfast defaultGlobally enables the PortFast feature on all nontrunking
ports.
Switch#show running-config
interface typeslot/portIndicates whether PortFast has been configured on a port.
Server Workstation
7/30/2019 06- Securing the Local Area Network
11/22111111 2009 Cisco Learning Institute.
STP Manipulation Attack
Root BridgePriority = 8192
RootBridge
F F
F F
F B
F B
FF
F F
Attacker The attacking host broadcasts out STPconfiguration and topology change BPDUs.This is an attempt to force spanning treerecalculations.
7/30/2019 06- Securing the Local Area Network
12/22121212 2009 Cisco Learning Institute.
BPDU Guard
Switch(config)#
spanning-tree portfast bpduguard default
Globally enables BPDU guard on all ports with PortFastenabled
F F
FF
F B
RootBridge
BPDUGuard
Enabled
AttackerSTP
BPDU
7/30/2019 06- Securing the Local Area Network
13/22131313 2009 Cisco Learning Institute.
Root Guard
Switch(config-if)#
spanning-tree guard root
Enables root guard on a per-interface basis
Root BridgePriority = 0
MAC Address =0000.0c45.1a5d
F F
F F
F BF
STP BPDUPriority = 0
MAC Address = 0000.0c45.1234
RootGuard
Enabled
Attacker
7/30/2019 06- Securing the Local Area Network
14/22141414 2009 Cisco Learning Institute.
LAN Storm Attack
Broadcast, multicast, or unicast packets are flooded on all ports in thesame VLAN.
These storms can increase the CPU utilization on a switch to 100%,reducing the performance of the network.
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
Broadcast
7/30/2019 06- Securing the Local Area Network
15/22151515 2009 Cisco Learning Institute.
VLAN Attacks
VLAN = Broadcast Domain = Logical Network (Subnet)
Segmentation
Flexibility
Security
7/30/2019 06- Securing the Local Area Network
16/22161616 2009 Cisco Learning Institute.
VLAN Hopping Attack
802.1Q
ServerAttacker sees traffic destined for servers
Server
Trunk
VLAN20
VLAN10
A VLAN hopping attack can be launched byspoofing DTP Messages from the attacking host tocause the switch to enter trunking mode.
7/30/2019 06- Securing the Local Area Network
17/22171717 2009 Cisco Learning Institute.
Port Security Overview
MAC A
MAC A
Port 0/1 allows MAC A
Port 0/2 allows MAC BPort 0/3 allows MAC C
Attacker 1
Attacker 2
0/1
0/2
0/3MAC F
Allows an administrator to statically specify MACAddresses for a port or to permit the switch todynamically learn a limited number of MACaddresses
7/30/2019 06- Securing the Local Area Network
18/22181818 2009 Cisco Learning Institute.
CLI Commands
switchport mode accessSwitch(config-if)#
Sets the interface mode as access
switchport port-security
Switch(config-if)#
Enables port security on the interface
switchport port-security maximum value
Switch(config-if)#
Sets the maximum number of secure MAC addresses forthe interface (optional)
7/30/2019 06- Securing the Local Area Network
19/22191919 2009 Cisco Learning Institute.
MAC ADDRESS TABLEOVERFLOW ATTACK
LAB
7/30/2019 06- Securing the Local Area Network
20/22
202020 2009 Cisco Learning Institute.
Trunk(Native VLAN = 10)
1. Disable trunking on all accessports.
2. Disable auto trunking and manuallyenable trunking
3. Be sure that the native VLAN isused only for trunk lines and nowhere else
Mitigating VLAN Attacks
7/30/2019 06- Securing the Local Area Network
21/22
212121 2009 Cisco Learning Institute.
switchport mode trunk
switchport trunk native vlanvlan_number
switchport nonegotiate
.
Switch(config-if)#
Specifies an interface as a trunk link
Switch(config-if)#
Prevents the generation of DTP frames.
Switch(config-if)#
Set the native VLAN on the trunk to an unused VLAN
Controlling Trunking
7/30/2019 06- Securing the Local Area Network
22/22