BRKSEC-2202
Understanding and Preventing Layer-2 Attacks in IPv4 and IPv6 networks
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings
Please switch off your mobile phones
After the event don’t forget to visit Cisco Live Virtual: www.ciscolivevirtual.com
Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 3
Session Abstract
This session focuses on the network security issues surrounding Layer-2, the data link layer. Because many network attacks originate from inside the corporate firewall, exploring this soft underbelly of data networking is critical for any secure network design. Issues including MAC flooding, IPv4 ARP spoofing, IPv6 Neighbor Discovery Protocol (NDP) spoofing, VLAN hopping, Dynamic Host Configuration Protocol (DHCP) attacks, DTP, Spanning Tree Protocol (STP) and First-Hop Security Protocols (HSRP and VRRP) are discussed.
Common myths about Ethernet switch security are addressed and specific security lockdown recommendations are provided. Attack mitigation options presented include the DHCP snooping and Dynamic ARP Inspection (DAI) functionality and the new IPv6 First-Hop Security. Attendees can expect to learn Layer-2 design considerations from a security perspective and mitigation techniques for Layer-2 attacks.
Virtualization environment challenges and Layer-2 attack Mitigation using Firewall and IPS technologies are being discussed as well.
This intermediate session is suited for network designers, administrators, and engineers in all areas of data networking.
BRKSEC-3003 is the advanced version of the IPv6 part of this session.
BRKSEC-2202
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 4 4
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 5
Why Worry About Layer-2 Security?
Host B Host A
Physical Links
MAC Addresses
IP Addresses
Protocols/Ports
Application Stream Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
OSI Model Was Built to Allow Different Layers to Work Without the Knowledge of Each Other
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 6
Lower OSI Layers Affect Higher Layers
If one layer is hacked, communications are compromised without the other layers being aware of the problem
Security is only as strong as the weakest link
When it comes to networking, Layer-2 can be a very weak link
POP3, IMAP, IM, SSL, SSH
Physical Links
IP Addresses
Protocols/Ports
Initial Compromise
Application Stream C
om
pro
mis
ed
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 7
Approaching Network Security The Systemic Way.
vs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 8
Layer-2 Security and Link Operations
Operations contained within the link
boundaries, necessary for a node
to communicate with its neighbors,
including the link exit points.
It encompasses:
- Address configuration parameters
- Address initialization
- Address resolution
- Default gateway discovery
- Local network configuration
- Neighbor reachability tracking
Attacks at Layer-2:
Address and Local Network configuration:
Trickery on configuration parameters
Address initialization: Denial of address
insertion
Address resolution: Address stealing
Default gateway discovery: Rogue routers
Neighbor reachability tracking: Trickery on
neighbor status
Link-operations disruption – Denial of Service
Neighbor cache poisoning
Attacking on-link or off-link victims
Key role highjacking: router or DHCP server
„A link‖
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 9 9
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 10
A Quick Review: MAC Address And CAM Table
CAM table stands for Content Addressable Memory
The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters
CAM table has a limited, platform-dependent size
0000.0cXX.XXXX
48-Bit Hexadecimal Number Creates Unique Layer Two Address
1234.5678.9ABC
First 24-Bits = Manufacturer Code
(OUI) Assigned by IEEE
Second 24-Bits = Specific Interface,
Assigned by Manufacturer
0000.0cXX.XXXX
All Fs = Broadcast
FFFF.FFFF.FFFF
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 11
Normal CAM Behavior (1/2)
MAC A
Port 1
Port 2
Port 3
A Is on Port 1 Learn:
B Is on Port 2
MAC Port
A 1
C 3
B 2
MAC B
MAC C
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 12
Normal CAM Behavior (2/2)
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
Traffic A B
B Is on Port 2
Does Not See Traffic to B
MAC Port
A 1
B 2
C 3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 13
CAM Overflow Attack
MAC A
MAC B
MAC C
Port 1
Port 2
Port 3
MAC Port
C 3 Y Is on Port 3
Z Is on Port 3
Y 3
Z 3
Traffic A B
I Can See Traffic to B
Assumes CAM Table Now Full
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 14
It is trivial to overflow CAM table with invalid MAC addresses.
Classic tool – macof developed in 1999
- About 100 lines of perl. Included in dsniff package.
- macof sends random source MAC and IP addresses
- Much more aggressive if you run the command
Common tools are capable of generating 100,000+ spoofed MAC Adresses per Minute. YMMV.
~# macof –i eth1 36:a1:48:63:81:70 15:26:8d:4d:28:f8 0.0.0.0.26413 > 0.0.0.0.49492: S 1094191437:1094191437(0) win 512 16:e8:8:0:4d:9c da:4d:bc:7c:ef:be 0.0.0.0.61376 > 0.0.0.0.47523: S 446486755:446486755(0) win 512 18:2a:de:56:38:71 33:af:9b:5:a6:97 0.0.0.0.20086 > 0.0.0.0.6728: S 105051945:105051945(0) win 512 e7:5c:97:42:ec:1 83:73:1a:32:20:93 0.0.0.0.45282 > 0.0.0.0.24898: S 1838062028:1838062028(0) win 512 62:69:d3:1c:79:ef 80:13:35:4:cb:d0 0.0.0.0.11587 > 0.0.0.0.7723: S 1792413296:1792413296(0) win 512 c5:a:b7:3e:3c:7a 3a:ee:c0:23:4a:fe 0.0.0.0.19784 > 0.0.0.0.57433: S 1018924173:1018924173(0) win 512 88:43:ee:51:c7:68 b4:8d:ec:3e:14:bb 0.0.0.0.283 > 0.0.0.0.11466: S 727776406:727776406(0) win 512 b8:7a:7a:2d:2c:ae c2:fa:2d:7d:e7:bf 0.0.0.0.32650 > 0.0.0.0.11324: S 605528173:605528173(0) win 512 e0:d8:1e:74:1:e 57:98:b6:5a:fa:de 0.0.0.0.36346 > 0.0.0.0.55700: S 2128143986:2128143986(0) win 512
MAC Flooding with macof
~# macof -i eth1 2> /dev/null
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 15
CAM Table Full
Once the CAM table on the switch is full, traffic without a CAM entry is flooded out every port on that VLAN
This will turn a switch into a hub in the VLAN (broadcast domain) to which the attacker belongs
This attack will also fill the CAM tables of adjacent switches
10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ? 10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ? 10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS 10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 16
MAC Flood Attacks – Countermeasures
Solution
Port security limits MAC flooding attack, locks down port and sends an SNMP trap
137,000
Bogus MACs
Only One MAC
Addresses
Allowed on the
Port: Shutdown
Port Security Limits the Amount of MACs on an Interface
00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 17
Configuring Port Security
Per port per VLAN maximum MAC addresses
Restrict will let you know something has happened —you will get an SNMP trap
(config-if)# switchport port-security switchport port-security maximum 1 vlan voice switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity snmp-server enable traps port-security trap-rate 5
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 18
Port Security: What to Expect
The performance hit seen with multiple attacks happening at one time is up to 99% CPU utilization
Because the process is a low priority, on all switches packets were not dropped
Telnet and management were still available
Would want to limit the SNMP message, don’t want 1000s
Voice MOS scores under attack were very good, as long as QoS was configured
Designed to protect the switch and limit MAC addresses, has no authentication; look at 802.1X for that
Minimum settings for phones are two usually, higher numbers should be considered
Notice: When Using the Restrict Feature of Port Security, if the Switch Is Under Attack, You Will See a Performance Hit on the CPU
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 19
Spanning Tree Basics
STP purpose: to maintain loop-free topologies in a redundant Layer 2 infrastructure
STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no ―payload‖
Avoiding loops ensures broadcast traffic does not become storms
A ‗Tree-Like‘,
Loop-Free Topology
Is Established from
the Perspective of
the Root Bridge
A Switch Is
Elected as Root
Root Selection Is
Based on the Lowest
Configured Priority
of Any Switch 0–65535
X
Root
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 20
Attacker sends superior BPDU messages to become root bridge
Now, The attacker then sees frames he shouldn’t. MITM, DoS, all possible
Any attack is very sensitive to the original topology, trunking, PVST
Although STP takes link speed into consideration, it is always done from the perspective of the root bridge;
Taking a 10Gbps backbone to half-duplex 10Mbps was verified
Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the
attacking host)
Access Switches Root Root
Root
X Blocked
Attacking Spanning Tree Protocol
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 21
Traditional Layer-2 Access Design
Mature, 10+ year old design
Redundant design with sub-optimal topology
and complex operation.
Stabilize network topology with several L2 :
- STP Primary and Backup Root Bridge
- Rootguard
- Loopguard or Bridge Assurance
- STP Edge Protection
Protocol restricted forwarding topology –
- STP FWD/ALT/BLK Port
- Single Active FHRP Gateway
- Asymmetric forwarding
- Unicast Flood
Protocol dependent driven network recovery
- PVST/RPVST+
- FHRP Tunings
SiSiSiSiHSRP Active
Rootguard
Loopguard or
Bridge Assurance
Bridge
Assurance
STP Root
BPDU Guard or
PortFast
Port Security
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 22
Layer-2 Security with Routed Access
Simplified Operation with single control-plane – Routing Protocols
Improved Network Design – No FHRP, STP, Trunk, VTP etc.
Optimized Forwarding Topology – Layer 3 ECMP
Improved convergence with fewer protocols
EIGRP/OSPF
Layer 3
Layer 2
SiSiSiSiHSRP Active
Rootguard
Loopguard or
Bridge Assurance
Bridge Assurance
STP Root
BPDU Guard or
PortFast
Port Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 23
VTP – VLAN Trunking Protocol
VTP is a Cisco-proprietary protocol available on most switches
Works on ISL and 802.1Q trunks to propagate VLAN information
Periodic advertisements to a multicast address 01-00-0c-cc-cc-cc (same as CDP)
802.1Q frames have Ethertype of 0x8100
LLC code 0xaaaa, which represents Subnetwork Access Protocol.
SNAP type of 0x2003.
Modes of operation: server, client, transparent and off
VTP pruning blocks unneeded flooded traffic
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 24
Attacking VLAN Trunking Protocol
Active attack: Inserting a VTP Client or Server with a higher Config Revision Number into the network
An attacker can prepare and insert a hostile switch or
Use tools like yersinia to:
- Send raw VTP packets
- Delete ALL VLANs
- Delete selected VLAN
- Add one VLAN
- Try to crash the switch
All of these can lead to catastrophic DoS condition.
- Deleted VLANs become inactive.
VLAN
10,20,30,40
Server
Client
Client VLAN
10,20,30,40
VLAN 77,99
VTP
VLAN 77,99 VLAN 77,99
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 25
VTP version 1 and 2 Attack Countermeasures
Configure the VTP domains appropriately.
Turn off VTP altogether if you want to limit or prevent possible undesirable protocol interactions with regard to network-wide VLAN configuration.
Authenticate VTP with MD5 HMAC. The MD5 digest of the VTP configuration is created.
If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well.
Configuring VTP transparent or OFF mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.
Configure static access ports. VTP is disabled by default on nontrunk ports.
(Changing pruning and version on the VTP server changes the MD5 digest).
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 26
VTP version 3 security enhancements
VTPv3 supports a superset of VTPv1 and v2
Extended range VLANs (1006 to 4094)
Enhanced authentication (hidden or secret)
Private VLAN support.
Primary and Secondary VTP Servers. Only VTPv3 primary server is able to update the domain.
Ability to turn VTP on or off on a per-trunk / per-port basis.
VTPv3 provides antireplay protection with MD5 HMAC.
Note: VTPv3 has been historically available on high-end platforms only. Since 12.2(52)SE available on access Catalyst switches (2k, 3K) as well.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 27
Cisco Discovery Protocol (CDP)
CDP is a Cisco proprietary Layer-2 protocol known for ages (since 1994)
Runs on all media supporting Subnetwork Access Protocol (SNAP) including FR and ATM. On Ethernet, protocol ID 0x2000 is used
Device sends periodic advertisements to a multicast address 01-00-0c-cc-cc-cc
Type-Length-Value fields (TLVs) are blocks of information embedded in CDP advertisements. A way for Cisco to expand the protocol.
CDP Version-2 (CDPv2) is the most recent release of the protocol
- Provides more intelligent device tracking features
- Error messages can be sent to the console or to a logging server
- Covers instances of unmatching native VLAN IDs (IEEE 802.1Q) – Native VLAN TLV
- Detects unmatching port duplex states between connecting devices – Full/Half Duplex TLV
CDP CDP
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 28
Attacking Cisco Discovery Protocol
No Authentication is built into CDP.
Passive Attack. Listening to CDP messages
- Getting extensive information about neighbor device
Active Attack. An attacker can craft CDP messages to:
- Test the protocol implementation resiliency on the switch
- Pollute and Overflow the CDP Cache
- Advertise himself as a PoE device - Switch Power Budget Exhaustion.
Defense against CDP attacks can be performed by:
- Disabling CDP globally
- Disabling CDP per interface
However, Some applications, like IP Telephony VLAN negotiation, Network Inventory and Topology, Power Negotiation, Energency Services, Device Profiling make extensive use of CDP.
(config)# no cdp run (config-if)# no cdp enable
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 29
CDP Security with IP Telephony
On some hardware platforms, a triple check: CDP, line power and duplex to allow Cisco IP Phone in the voice VLAN is available.
If the conditions are not satisfied, the port gets err-disabled.
Denying access to a port when power was NOT granted?
VLAN 10
VLAN 20 VLAN 20
(config-if)# switchport voice detect cisco-phone Line Power and CDP switchport voice detect cisco-phone full-duplex and only Full-Duplex
%CPDE-6-DETECT: Device detected on GigabitEthernet0/1 violating configuration %PM-4-ERR_DISABLE: security-violation error detected on Gi0/1, putting Gi0/1 in err-disable state
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 30
Link-Layer Discovery Protocol (LLDP)
LLDP is an IEEE 802.1AB standard. Comparable Layer-2 protocol principle as CDP.
Multicast address 01-80-c2-00-00-0e. Dedicated Ethertype of 0x88cc
Supports a set of TLVs to discover neighbor devices
Extension: Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)
LLDP-MED provides support for media endpoints and provides additional TLVs:
- LLDP-MED capabilities TLV
- Network policy TLV
- Power management TLV
- Inventory management TLV
- Location TLV
By default, a network device sends only LLDP packets until it receives LLDP-MED packets from an endpoint device.
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 31
LLDP and LLDP-MED security considerations
Similar attack and defense approach as with CDP.
However, LLDP can be utilized by Wired Location Service, to track connected devices and endpoints and send them to Mobility Services Engine (MSE) using Network Mobility Services Protocol (NMSP).
LLDP provides more granularity – transmit and receive can be controlled separately, as well as specific TLVs that are being propagated
LLDP LLDP
(config)# no lldp run (config-if)# no lldp transmit (config-if)# no lldp receive (config-if)# lldp med-tlv-select [tlv]
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 32
Hot Standby Router Protocol (HSRP)
HSRP is a Cisco-proprietary FHRP (First-Hop Redundancy Protocol).
Defined in RFC 2281, known since 1998.
Designed to achieve almost-100% availability of first-hop.
L3 switches and routers running HSRP work in sets known as groups.
State-machine driven: Initial, Learn, Listen, Speak, Standby, Active.
For IPv4, group source MAC 00-00-0c-07-ac-NN for HSRPv1 and 00-00-0c-9f-fN-NN for HSRPv2 . HSRP hello packets use UDP port 1985 and IP multicast 224.0.0.2 with TTL=1.
For IPv6, group MAC is 00-05-73-a0-0N-NN, UDP 2029. Link-local or nonlink local Virtual IPv6 address can be used.
Advanced features exist: Preemption, Interface tracking, Use of a BIA, Multiple HSRP groups, BVI, Syslog support, Enhanced debugging, Strong Authentication, SNMP MIB, VRF-awareness.
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 33
Attacking HSRP - Information Leakage
The RFC 2281 clearly states that HSRP is not secure by default.
„This protocol does not provide security. The authentication field found within the message is useful for preventing misconfiguration. The protocol is easily subverted by an active intruder on the LAN. This can result in a packet black hole and a denial-of-service attack. It is difficult to subvert the protocol from outside the LAN as most routers will not forward packets addressed to the all-routers multicast address (224.0.0.2)”
Passive Attack. Traffic sniffing can lead to HSRP Information leakage
- Neither a breach, nor service disruption.
- The attacker will learn Virtual IP Address (all-routers IP address) and a clear-text password in the Authentication Data HSRP Field
- As HSRP is Cisco-proprietary, the attacker will probably launch Cisco-specific attacks and exploits.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 34
Attacking HSRP - Denial of Service
Active Attack. The attacker sends fake HSRP packets with maximum priority of 255 and a proper clear-text password.
Attacker claims the Active Virtual Router role and becomes the Default Gateway for hosts in a given VLAN.
Attacker drops the traffic, effectively creating a DoS condition.
Countermeasure: use HSRP strong authentication
HSRP group 1 10.10.10.254
00-00-0c07-ac-01
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 35
Active Attack. The same as DoS attack, but the attacker does not drop the traffic after claiming the Active Router role.
The attacker is now man-in-the-middle – intercepts and forwards all the traffic leaving the local subnet, leading to catastrophic consequences, including data theft and modification.
Internet
Attacking HSRP – Man in The Middle (MiTM)
HSRP group 1 10.10.10.254
00-00-0c07-ac-01
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 36
Attacking HSRP – Countermeasures
Attack tools exist, like yersinia and hsrp, a part of Phenoelit IRPAS (Internetwork Routing Protocol Attack Suite).
Typical use:
The most important countermeasure is MD5 HMAC Strong Authentication combined with key rollover (accept lifetime and send lifetime).
~# hsrp –d 224.0.0.2 –v 10.10.10.254 –a cisco –g 1 –i eth0 –S 10.10.10.17
(config)# key chain hsrp1 key 1 key-string 54321098452103ab (config-if)# standby 1 ip 10.10.10.254 standby 1 priority 110 standby 1 preempt standby 1 authentication md5 key-chain hsrp1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 37
Attacking HSRP – Even More Countermeasures
HSRP Strong Authentication is critical, but it does not stop a replay attack.
By listening and sending exact the same packet, the attacker becomes Active and will be able sustain his state later on
But, this attack can be avoided by using port-security.
A complementary and effective approach is to utilize ACL filter potential HSRP messages from hosts at the access-layer.
(config)# access-list 195 permit udp host 10.10.10.5 host 224.0.0.2 eq 1985 access-list 195 permit udp host 10.10.10.6 host 224.0.0.2 eq 1985 access-list 195 deny udp any any eq 1985 access-list 195 permit ip any any (config-if)# ip access-group 195 in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 38
Virtual Router Redundancy Protocol (VRRP)
IETF Standard, defined in RFC 2338 and 3768.
Uses IP Protocol 112
Multicast address 224.0.0.18 with TTL=255
Router uses its actual IP address as the source address, not the virtual IP address.
Virtual MAC address 00-00-5e-00-01-NN
Master router sends periodic VRRP packets with the virtual MAC
VRRP Virtual IP can be the router interface address (with HSRP, the virtual address is always different)
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 39
Virtual Router Redundancy Protocol (VRRP) Security
VRRP is slightly more secure than HSRP:
- Router rejects VRRP packets with TTL<255
- Router with virtual IP assigned to its interface has always highest priority
Denial of Service or MiTM after collecting the authentication data and becoming the Master Router is possible.
Countermeasures:
- MD5 HMAC authentication (Cisco extension) with key-string or key chain
- Use ACLs to prevent VRRP spoofing. VRRP utilizes IP protocol 112.
(config-if)# vrrp 7 authentication md5 key-string s3cr3tly1337
(config)# access-list 170 permit 112 host 10.10.10.5 host 224.0.0.18 access-list 170 permit 112 host 10.10.10.6 host 224.0.0.18 access-list 170 deny 112 any any access-list 170 permit ip any any (config-if)# ip access-group 170 in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 40
Basic Trunk Port Defined
Trunk ports have access to all VLANs by default
Used to route traffic for multiple VLANs across the same physical link (generally between switches or phones)
Encapsulation 802.1Q
VLAN 10
VLAN 20 VLAN 10
VLAN 20
Trunk with: Native VLAN
VLAN 10 VLAN 20
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 41
Dynamic Trunk Protocol (DTP)
What is DTP?
- Automates 802.1Q trunk setup
- Operates between switches (Cisco IP phone is a switch)
- Does not operate on routers
- Support varies, check your device
DTP synchronizes the trunking mode on end links
DTP state on 802.1Q trunking port can be set to ―Auto,‖ ―On,‖ ―Off,‖ ―Desirable,‖ or ―Non-Negotiate‖
Dynamic Trunk
Protocol
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 42
Attacker sends DTP messages and establishes 802.1Q trunk
Attacker station becomes a member of all VLANs
Countermeasures:
VLAN 10
VLAN 20 VLAN 10
Trunk with: Native VLAN
VLAN 10 VLAN 20
Trunk Native VLAN
VLAN 10 VLAN 20
Basic VLAN Hopping Attack
(config-if)# switchport mode access switchport nonegotiate
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 43
Double 802.1Q Encapsulation VLAN Hopping Attack
Send 802.1Q double encapsulated frames
Switch performs only one level of decapsulation
Unidirectional attack only
Works even if trunk ports are set to off
Strip Off First,
and Send
Back Out
802.1q Frame
Note: Only works if trunk has the same VLAN as the attacker
src mac dst mac 8100 0800 5 8100 96 data
1st tag 2nd tag
(config-if)# switchport mode access switchport nonegotiate
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 44
Voice VLAN Access: Attack
Attacker sends 802.1Q tagged
frames from the PC to the phone.
Traffic from the PC is now in the
voice VLAN.
Countermeasure: Disable PC
voice VLAN access on CUCM.
Tagged traffic will be stopped at
the PC port on the phone.
VLAN 10 Has PC Traffic
Attacker Sends VLAN 10 Frames
VLAN 10
VLAN 20
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 45
Security Best Practices for VLANs and Trunking
Always use a dedicated VLAN ID for all trunk ports
Disable unused ports and put them in an unused VLAN
Be paranoid: do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks
Use PC voice VLAN access on phones that support it
Use 802.1Q tag all on the trunk port
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 46 46
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 47
MACSec - Achieving Confidentiality at Layer-2
MACSec is IEEE Layer 2 encryption mechanism (since 2006)
- 802.1AE defines AES-GCM-128 encryption (AES-GCM-256 future)
802.1X EAP is used to derive the 802.1AE session key for encryption
Authenticated Encryption with Associated Data (AEAD)
Hardware implementations are very efficient:
- 1Gbps and 10Gbps line rate crypto
MACSec can be used switch-to-switch or endpoint-to-switch
BRKSEC-2046 Deploying Security Group Tagging and MACSec
MACSec MACSec
Decrypt Encrypt Encrypt Decrypt Encrypt ―Downlink‖ ―Uplink‖
AC3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 48
MACSec Importance for Layer-2 Security
Client-side encryption can be done in software (AC3.0) and in hardware.
802.1X NEAT can be used to defend against bogus switch insertion
Physical MiTM in the access link is a feasible attack using small factor PC (DreamPlug).
Attacks have been demonstrated (DEFCON19 – A Bridge Too Far).
AC3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 49
Putting it together: 802.1AE with SGT
Cisco Meta Data
DMAC SMAC
802.1AE Header
802.1Q
CMD
ETYPE
PAYLOAD
ICV
CRC
Version
Length
CMD EtherType
SGT Opt Type
SGT Value
Other CMD Options
Encrypted
Authenticated
are the L2 802.1AE + TrustSec overhead
Frame is always tagged at ingress port of SGT capable device
Tagging process prior to other L2 service such as QoS
No impact IP MTU/Fragmentation
L2 Frame MTU Impact: ~ 40 bytes = less than baby giant frame (~1600 bytes
with 1552 bytes MTU)
802.1AE Header
CMD
ICV
Ethernet Frame field
BRKSEC-2046 Deploying Security Group Tagging and MACSec
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 50 50
Cisco‘s MACsec Capable Product Portfolio
Client Cat 3K Cat 4K Cat 6K N7K
Software AnyConnect 3.0 IOS 15.0(1)-SE IOS-XE 3.3.0 SG IOS 12.2.50-SY NXOS 5.2.1
Hardware Intel 82567LM
Intel 82579LM
Catalyst 3750X
Catalyst 3560X
C3KX-SM-10G
WS-C3560CPD-8PT-
S *
WS-C3560CG-8TC-
S *
WS-C3560CG-8PC-S
Catalyst 45xx-E
WS-X45-Sup7-E
WS-X4712-
SFP+E
WS-X4748-
UPOE+E
WS-X4748-
RJ45V+E
WS-X4748-RJ45-
E
Catalyst 65xx-E
VS-S2T-10G
VS-S2T-10G-XL
WS-X6908-10G-2T
WS-X6908-10G-
2TXL
N7K-C70xx
N7K-SUP1
N7K-M108X2-12L
N7K-M132XP-12
N7K-M132XP-12L
N7K-M148GT-11
N7K-M148GT-11L
N7K-M148GS-11
N7K-M148GS-11L
Key
Agreement
MKA (802.1X-
2010)
MKA (802.1X-2010)
Host Access /
Security Association
Protocol (SAP)
Switch-to-Switch
* MKA / Downlink
Only
MKA (802.1X-
2010) Host
Access /
Security
Association
Protocol (SAP)
Switch-to-Switch
Security Association
Protocol (SAP)
Switch-to-Switch
Security
Association
Protocol (SAP)
Switch-to-Switch
Availability Available Now Host access
Switch-to-Switch
Available Now
Host access:
Q1CY12
Switch-to-Switch:
Q1CY12
Switch-to-Switch:
Available Now
Switch-to-Switch
(DC to DC):
Avaialble Now
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 51 51
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 52
DHCPv4 Function: High Level
Server dynamically assigns IP address on demand
Administrator creates pools of addresses available for assignment
Address is assigned with lease time
DHCP delivers other configuration information in options
Similar functionality in IPv6 for DHCP
Send My Configuration Information Client
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days
Here Is Your Configuration
DHCP Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 53
DHCP Function: Lower Level
DHCP is defined by RFC 2131
DHCP Server
Client
DHCP Discover (Broadcast)
DHCP Offer (Unicast)
DHCP Request (Broadcast)
DHCP Ack (Unicast)
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 54
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope
This is a Denial of Service attack using DHCP leases
DHCP Discovery (Broadcast) x (Size of Scope)
DHCP Offer (Unicast) x (Size of DHCPScope)
DHCP Request (Broadcast) x (Size of Scope)
DHCP Ack (Unicast) x (Size of Scope)
Client
Gobbler DHCP Server
DHCP Starvation Attack
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 55
Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security
Gobbler uses a new MAC address to request a new DHCP lease
Restrict the number of MAC addresses on a port
Attacker will not be able to lease more IP address than MAC addresses allowed on the port
In the example the attacker would get one IP address from the DHCP server
Client
Gobbler DHCP Server
(config-if)# switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 56
Rogue DHCP Server Attack
Client
DHCP Server Rogue Server or
Unapproved
DHCP Discovery (Broadcast)
DHCP Offer (Unicast) from Rogue Server
DHCP Request (Broadcast)
DHCP Ack (Unicast) from Rogue Server
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 57
Rogue DHCP Server Attack
What can the attacker do if he is the DHCP server?
IP Address: 10.10.10.101
Subnet Mask: 255.255.255.0
Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4, 192.168.10.5
Lease Time: 10 days
Here Is Your Configuration
What do you see as a potential problem with incorrect information?
Wrong default gateway—Attacker is the gateway
Wrong DNS server—Attacker is DNS server
Wrong IP address—Attacker does DOS with incorrect IP
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 58
Mitigating the Rogue Server Attack – DHCP Snooping
Client
DHCP Server Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping-Enabled
BAD DHCP
Responses:
OFFER, ACK, NAK
OK DHCP
Responses:
OFFER, ACK, NAK
(config)# ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping (config-if)# Client interface no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps) (config-if)# DHCP Server Interface ip dhcp snooping trust
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 59
Table is built by ―snooping‖ the DHCP reply to the client
Entries stay in table until DHCP lease time expires
Client
DHCP Server Rogue Server
Trusted
Untrusted
Untrusted
DHCP Snooping-Enabled
BAD DHCP
Responses:
OFFER, ACK, NAK
OK DHCP
Responses:
OFFER, ACK, NAK
# sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
DHCP Snooping Binding Table
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 60
DHCP Snooping Binding Persistence and Capacity
Not all operating systems (Linux) reinitiate DHCP on link down/up
In the event of switch failure, the DHCP snooping binding table can be written to bootflash, ftp, rcp, slot0, and tftp
Also, all DHCP snooping binding tables have limits
All entries stay in the binding table until the lease runs out
If you have a mobile work environment, reduce the lease time to make sure the binding entries will be removed
ip dhcp snooping database tftp://192.168.17.15/tftpboot/gawel/c6500-1-dhcpdb ip dhcp snooping database write-delay 60
sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- ---------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 61
DHCP Snooping Advanced Considerations
Gobbler uses a unique MAC for each DHCP request and port security prevents Gobbler
What if the attack used the same interface MAC address, but changed the client hardware address in the request?
Port security would not work for that attack
The switches check the CHADDR field of the request to make sure it matches the hardware MAC in the DHCP snooping binding table
If there is not a match, the request is dropped at the interface
Transaction ID (XID)
OP Code Hardware
Type
Hardware
Length HOPS
Your IP Address (YIADDR)
Seconds
Client IP Address (CIADDR)
Server IP Address (SIADDR)
Gateway IP Address (GIADDR)
Flags
Server Name (SNAME)—64 Bytes
Filename—128 Bytes
DHCP Options
Client Hardware Address (CHADDR)—16 Bytes
Note: Some switches have this on by default, and other’s don’t;
please check the documentation for settings
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 62
Summary of DHCP Attacks
DHCP starvation attacks can be mitigated by port security
Rogue DHCP servers can be mitigated by DHCP snooping features
When configured with DHCP snooping, all ports in the VLAN will be ―untrusted‖ for DHCP replies
Check default settings to see if the CHADDR field is being checked during the DHCP request
ACLs to block UDP port 68 for partial attack mitigation (will not prevent the CHADDR DHCP starvation)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 63
ARP Function Review
Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address
- This ARP request is broadcast using protocol 0x0806
All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply
Who Is 10.1.1.4?
I Am 10.1.1.4 MAC A
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 64
ARP Function Review
According to the ARP RFC, a client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP
Other hosts on the same subnet can store this information in their ARP tables
Anyone can claim to be the owner of any IP/MAC address ARP attacks use this to redirect traffic
You Are 10.1.1.1 MAC A
I Am 10.1.1.1 MAC A
You Are 10.1.1.1 MAC A
You Are 10.1.1.1 MAC A
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 65
ARP Attack Tools
Many tools on the net for ARP man-in-the-middle attacks
- Dsniff, Cain, ettercap, Yersinia.
ettercap: http://ettercap.sourceforge.net/
- Most have a very nice GUI, point and click
- Packet insertion, many to many ARP attack
All of them capture the traffic/passwords of applications
- FTP, Telnet, SMTP, HTTP, POP, NNTP, IMAP, SNMP, LDAP, RIP, OSPF, PPTP, MS-CHAP, SOCKS, X11, IRC, ICQ, AIM, SMB, Microsoft SQL, and more.
SSL/SSH MiTM Tools available, capable of presenting bogus certificate.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 66
ARP Spoofing Attack in Action
Attacker poisons the ARP tables
10.1.1.1 MAC A
10.1.1.2 MAC B
10.1.1.3 MAC C
10.1.1.2 Is Now MAC C
10.1.1.1 Is Now MAC C
ARP 10.1.1.1 Saying
10.1.1.2 Is MAC C
ARP 10.1.1.2 Saying
10.1.1.1 Is MAC C
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 67 67
ARP Spoofing Attack in Action
All traffic flows through the attacker
Cleanup after the attack.
Transmit/Receive Traffic to
10.1.1.1 MAC C
Transmit/Receive Traffic to
10.1.1.2 MAC C
10.1.1.2 MAC B
10.1.1.3 MAC C
10.1.1.2 Is Now MAC C
10.1.1.1 Is Now MAC C
10.1.1.1 MAC A
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 68 68
10.1.1.2 Is Now MAC B
ARP Spoofing Attack Clean Up
Attacker corrects ARP tables entries
Traffic flows return to normal
10.1.1.1 Is Now MAC A
ARP 10.1.1.1 Saying
10.1.1.2 Is MAC B
ARP 10.1.1.2 Saying
10.1.1.1 Is MAC A
10.1.1.2 MAC B
10.1.1.3 MAC C
10.1.1.1 MAC A
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 69
Countermeasures to ARP Spoofing: Dynamic ARP Inspection (DAI)
DAI utilizes the DHCP snooping binding table information.
Is This Is My Binding Table? NO
None Matching
ARPs in the Bit Bucket
10.1.1.1 MAC A
10.1.1.2 MAC B
10.1.1.3 MAC C
ARP 10.1.1.1 Saying
10.1.1.2 Is MAC C
ARP 10.1.1.2 Saying
10.1.1.1 Is MAC C
DHCP Snooping- Enabled Dynamic ARP Inspection- Enabled
IP Phones are able to Ignore Gratuitous ARPs (GARPs)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 70
Countermeasures to ARP Attacks: Dynamic ARP Inspection (DAI)
Uses the information from the DHCP snooping binding table
Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding; if not, traffic is blocked
DAI is configured by VLAN
You can trust an interface like DHCP snooping
Be careful with rate limiting.
- Large amounts of ARP replies in environments utilizing Simple Service Discovery Protocol (SSDP), a part of Universal Plug and Play (UPnP) protocol stack
# sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ ------------- ---------- ------------- ---- ---------------- 00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 71
Configuring Dynamic ARP Inspection
(config)# ip dhcp snooping vlan 4,104 DHCP Snooping no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 4,104 Dynamic ARP Inspection ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 (config-if)# Trusted Interface ip dhcp snooping trust ip arp inspection trust (config-if)# Untrusted Interface no ip arp inspection trust (Default) ip arp inspection limit rate 15 (pps)
The first step should be to enable DHCP Snooping
The second step – configuring DAI per VLAN and per interface
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 72
Configuring Additional DAI Checks
Checking for both destination or source MAC and IP addresses
- Destination MAC: Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body
- Source MAC: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body
- IP address: Checks the ARP body for invalid and unexpected IP addresses; addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses
Each check can be enabled independently, or any combination of three
The last command overwrites the earlier command
(config)# ip arp inspection validate dst-mac ip arp inspection validate src-mac ip arp inspection validate ip (config)# Enable all DAI validations ip arp inspection validate src-mac dst-mac ip
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 73
Static Dynamic ARP Inspection Binding Table
Static (manual) bindings in the DHCP snooping binding table
Show static and dynamic entries in the DHCP snooping binding table is different
No entry in the binding table—no traffic allowed
Wait until all devices have new leases before turning on DAI
Entries stay in table until the lease runs out
All hardware platforms have a binding size limit (in range of thousands)
(config)# ip source binding 0000.0000.0001 vlan 4 10.0.10.200 interface fastethernet 3/1
# show ip source binding Show static DHCP Snooping bindings
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 74
Dynamic ARP Inspection – Logging Messages
sh log: 4w6d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 296 milliseconds on Gi3/2. 4w6d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/2, putting Gi3/2 in err-disable state 4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.2/12:19:27 UTC Wed Apr 19 2000]) 4w6d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/2, vlan 183.([0003.472d.8b0f/10.10.10.62/0000.0000.0000/10.10.10.3/12:19:27 UTC Wed Apr 19 2000])
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 75
More ARP Attack Information
ARPWatch is a free tool to track IP/MAC address pairings and detect ARP spoofing attacks. But it works.
- Caution—you will need an ARPWatch server on every VLAN
- Hard to manage and scale.
Installing ARPWatch on a Linux machine:
For Your
Reference
~# wget ftp://ftp.ee.lbl.gov/arpwatch.tar.gz ~# tar -xzvf arpwatch.tar.gz ~# cd arpwatch-2.1a13 ~#./configure –prefix=/usr/local/arpwatch ~# mkdir /usr/local/arpwatch/ ~# make ~# make install ~# cp arp.dat /usr/local/arpwatch/sbin/ ~# vi /etc/arpwatch.conf eth0 -a -n 192.168.1.0/24 –m [email protected] ~# /etc/init.d/arpwatch restart ~# ps -u root| grep arpwatch 2408 ? 00:00:00 arpwatch
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 76 76
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 77
IPv6 Neighbor Discovery Fundamentals
RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)
RFC 4862, IPv6 Stateless Address Autoconfiguration
Used for: - Router discovery
- IPv6 Stateless Address Auto Configuration (SLAAC)
- IPv6 address resolution (replaces ARP)
- Neighbor Unreachability Detection (NUD)
- Duplicate Address Detection (DAD)
- Redirection
Operates above ICMPv6 - Relies heavily on multicast (including L2-multicast)
Works with ICMP messages and messages ―options‖
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 78
DHCP
server
Router
Assign addresses
Announces default router
Announces link parameters
IPv4 link model is
DHCP-centric
„An IPv4 link‖
Announces default router
Announces link parameters
– Assign addresses Assign addresses
IPv6 link model is essentially
distributed, with DHCP playing a
minor role
„An IPv6 link‖
IPv4 to IPv6 – Link model shift
DHCP
server
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 79 79
IPv6 is becoming pervasive.
IPsec is a mandatory component for IPv6, but it does not mean that encrypting all the IPv6 traffic is mandatory.
IPv4 ARP replaced by ICMPv6 Neighbor Discovery Protocol.
ARP Spoofing is now NDP Spoofing.
While ICMPv6 is not a Layer-2 protocol, we will focus on it.
Multiple attack tools exist - The Hacker’s Choice THC-IPV6 Attack Toolkit - parasite6, fake_router6, redir6 and 40+ more.
Your IPv4 network can be vulnerable to IPv6 attacks today.
Layer-2 Security in IPv6 Networks – Problem Definition
BRKSEC-2003 IPv6 Security Threats and Mitigations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 80
A and B can now exchange packets on this link
IPv6 Address Resolution – comparing with IPv4 ARP
Creates neighbor cache entry, resolving IPv6 address into MAC address.
Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA)
A B C
NS
ICMP type = 135 (Neighbor Solicitation)
Src = A
Dst = Solicited-node multicast address of B
Data = B
Option = link-layer address of A
Query = what is B‘s link-layer address?
NA
ICMP type = 136 (Neighbor Advertisement) Src = one B‘s IF address Dst = A Data = B
Option = link-layer address of B
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 81
Dst = Solicited-node multicast address of B
Query = what is B‘s link-layer address? NS
Attacking IPv6 Address Resolution
Attacker can claim victim's IPv6 address.
Src = B or any C‘s IF address Dst = A
Data = B Option = link-layer address of C
NA
A B C
Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA), Address-Watch.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 82
IPv6 Address GLEAN
Binding table
NS [IP source=A1, LLA=MACH1]
DHCP-
server
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3]
NA [IP source=A1, LLA=MACH3]
IPv6 MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
H1 H2 H3
„Gleaning‖ means extracting addresses from NA, ND and DHCP messages.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 83
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
RS
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Option = Prefix, lifetime
RA
Use B as default gateway
Find default/first-hop routers
Discover on-link prefixes => which destinations are neighbors
Messages: Router Advertisements (RA), Router Solicitations (RS)
B
IPv6 Router Discovery
A
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 84
Attacking IPv6 Router Discovery
Attacker tricks victim into accepting him as default router
Based on rogue Router Advertisements
The most frequent threat by non-malicious user
Src = C‘s link-local address
Dst = All-nodes
Data = router lifetime, autoconfig flag
Options = subnet prefix, slla
RA
Node A sending off-link traffic to C
B
C A
Src = B‘s link-local address
Dst = All-nodes
Data = router lifetime=0
RA
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 85
IPv6 RA-Guard – Securing Router Discovery
Verification succeeded?
Forward RA
Switch selectively accepts or rejects RAs based on various criteria – ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content. More countermeasures: static routing, SeND, VLAN segmentation, PACL.
A C
―I am the default gateway‖ Router Advertisement Option: prefix(s)
RA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 86
Stateless, based on prefix information delivered in Router Advertisements.
Messages: Router Advertisements, Router Solicitations
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
RS
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Options = Prefix X,Y,Z, lifetime
RA
Source traffic with X::x, Y::y, Z::z
Computes X::x, Y::y, Z::z and DADs them NS
IPv6 Stateless Address Auto-Configuration (SLAAC)
A B
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 87
IPv6 Duplicate Address Detection (DAD)
Verify IPv6 address uniqueness
Probe neighbors to verify nobody claims the address
Messages: Neighbor Solicitation, Neighbor Advertisement
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already?
NS
Node A starts using the address
A B C
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 88
Attacking IPv6 Stateless Address Auto-Configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Incoming packets can't reach victim
B
Router B filters out BAD::A
Computes BAD::A and DAD it
RA Src = B‘s link-local address
Dst = All-nodes
Options = prefix X Preferred lifetime = 0
Src = B‘s link-local address
Dst = All-nodes
Options = prefix BAD, Preferred lifetime
RA Deprecates X::A
Node A sourcing off-link traffic to B with BAD::A
A C
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 89 89
Features in IPv6 First-Hop Security
Switches do/will integrate a set of monitoring, inspection and guard features for a variety of security-centric purposes:
1. RA-guard
2. NDP address glean/inspection
3. Address watch/ownership enforcement
4. Device Tracking
5. Address GLEAN (NDP + DHCP + data)
6. DHCP-guard
7. DAD/Resolution proxy
8. Source-guard (SAVI)
9. Destination-guard
10. DHCP L2 relay
Feature set and platform availability have been staged into phases.
BRKSEC-3003 Advanced IPv6 First-Hop Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 90
Configuring IPv6 FHS
IPv6 Configuration Examples at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
Configuring the IPv6 Binding Table Content
Configuring IPv6 Device Tracking
Configuring IPv6 ND Inspection
Configuring IPv6 RA Guard
Configuring SeND for IPv6
Configuring IPv6 PACL
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 91 91
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 92
Server Virtualization – Network Security Concerns
VMNIC #1
vEth vEth
Virtualization
Security
V-Motion (Memory)
V-Storage (VMDK)
VM Segmentation
Hypervisor Security
Role Based Access
Physical Security
VM OS Hardening
Patch Management
VM Sprawl
VMNIC #2
Real case: [...] „It looks the O&M firewall is not filtering the ARP traffic
the right way. This allows a VM to connect to any other VM through the
O&M network after injecting malicious ARP traffic. This happens even
if the destination VM belongs to a different tenant VDC” [...]
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 93
vSwitch lacks ―advanced‖ network functions
No visibility into VM-to-VM traffic on a port
group
No visibility into VM-to-Hypervisor calls
No SNMP and Netflow instrumentation to monitor flows between VMs
No ACLs and PVLAN to limit inter-VM traffic
No SPAN to enable forensic analysis of inter-VM traffic
DMZ
Web
Server
Application
Server
Database
Server
!! !! !!
A look inside the VM environment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 94
Moving Layer-2 Security boundary to the Virtual Switch
480
481
48 veth125
53 veth327
98 veth42
104 veth56
19 eth7/2
20 eth7/3
304 po3
107
145
174
288
VLAN 18
VLAN 10
Most virtual ports are Access Ports. Most physical ports are Trunk Ports.
VMKernel
VLAN 17
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 95
Virtual Access Layer-2 attacks and Countermeasures
Virtual Access Layer should offer at least the
same L2 Security measures as within
Campus:
Access Lists, Dynamic ARP Inspection, DHCP
Snooping, IP Source Guard, Port Security,
Private VLANs, STP extensions,
Layer-2 storm control, Rate-Limiters
With no such mechanisms in place, the
consequences of exploitation are disastrous,
taking the scale into the account (hundreds
of VMs).
Layer-2 flow visibility can be provided by:
NetFlow Collection
SPAN, RSPAN or ERSPAN
1/
7
BRKSEC-2205 Security and Virtualization in the Data Center
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 96
Packet Forwarding Features
Inside the VEM: Features
Ingress
Features
L2Lookup
Features
Egress
Features
DHCP Snooping
Access Control Lists
QoS Marking
vPATH
NetFlow
DHCP Snooping
ACL, QoS, vPath
NetFlow
Port Security
Private VLANs
Multicast Groups
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 97
VM LAN Security vSwitch Port Groups
› Use of Virtual Switch Tagging (VST)
› Use Port-Groups to segment vSwitch & VMs
› Assign VLAN to Port-Group based upon security affinity i.e. Web = Blue VLAN
› Map existing physical affinities to VMs, i.e. Web Blue VLAN HR Port-Group
› Port-Groups also simplify policies that are applied to a VM i.e. Web = VLAN101 (Blue)
› Use static MAC addresses per VM to simplify troubleshooting
› Intra-Tenant traffic between application tiers is controlled via firewall instance
vNIC
pNIC
Port Group:
Web: Blue VLAN
vSwitch
Appl’n: Red VLAN
802.1q Trunk
Trunkfast Enabled
DMZ
Web Server
Application
Server
Database
Server
DB: Green VLAN
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 98 98
Agenda
Introduction to Layer-2 Security
Layer-2 Security – Fundamental Mechanisms
- MAC, STP, VTP, CDP, LLDP and FHRP attacks
- Securing Segmentation against VLAN and DTP attacks.
- Achieving Layer 2 Confidentiality with 802.1AE MACSec
Layer-2 Security specific to IPv4 Networks: Attacks and Countermeasures
- Securing Integrity and Availability of DHCPv4 and ARP
Layer-2 Security specific to IPv6 Networks: Attacks and Countermeasures
- IPv6 FHS: First-Hop Security Mechanisms
Layer-2 Security in the Era of Virtualization and Cloud
- VM Hypervisor Layer-2 Security (N1kV)
Layer-2 advanced attack mitigation using security appliances
- Firewall Layer-2 attack mitigation
- IPS Layer-2 attack mitigation
Summary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 99
Transparent Firewall Definition
Firewall acts as a bump-in-the-wire
Firewall must have an IP assigned in the same network
Firewall may also have an IP assigned to Management interface for OOB management
Firewall populates CAM table via learning, or soliciting a response. It will not flood.
If packet is received, and DMAC not present in CAM, packet is dropped.
outside inside
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 100
Transparent Firewall – Directly Connected
10.1.5.0/24 10.1.5.0/24
10.1.5.254 10.1.5.1 10.1.5.2
Inside Outside
DST: 10.1.5.9, DMAC: 0002.a22d.183b
ARP: Where is 10.1.5.9 ARP: Where is 10.1.5.9
ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0024.c4b3.c6e1 dynamic 3 Inside 0050.56b2.1351 dynamic 2
X
10.1.5.9 is at 0002.a22d.183b
ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0024.c4b3.c6e1 dynamic 3 Outside 0002.a22d.183b dynamic 5 Inside 0050.56b2.1351 dynamic 2
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 101
Transparent Firewall – Not Directly Connected
10.1.5.0/24 10.1.5.0/24
10.1.5.254 10.1.5.1 10.1.5.2
Inside Outside
DST: 10.2.2.3, DMAC: 0004.daad.4491 ICMP Echo-Req: 10.2.2.3, TTL=1
ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Inside 0050.56b2.1351 dynamic 2
X Time Exceeded from 10.1.5.2
SRC MAC: 0004.daad.4491
ciscoasa# show mac-address-table interface mac address type Age(min) ------------------------------------------------------------------ Outside 0004.daad.4491 dynamic 5 Inside 0050.56b2.1351 dynamic 2
10.2.2.0/24
DST: 10.2.2.3, DMAC: 0004.daad.4491 DST: 10.2.2.3, DMAC: 0004.daad.4491
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 102
De
fau
lt
Ga
tew
ay
Transparent Firewall – Deployment Scenario
Web Server’s Default Gateway points to internal router
What issues does this design cause?
Example of Bad Deployment Scenario
Internet
10.1.5.254
10.1.5.1
10.1.5.2
www.example.com
10.1.5.5
SYN+ACK
SYN
SYN+ACK
For Your
Reference
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 103
Transparent Firewall – Deployment Scenario
Firewall is inserted directly between two L3 routers
Firewall is inserted between end-hosts and default gateway
Internet
www.example.com
SYN
SYN+ACK
IPS hardware module can be used with transparent firewall for additional Layer-2 security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 104
Transparent firewalling for L2 Security
ASA in Transparent mode passes the following by default, unless specifically filtered by an EtherType ACL:
- BPDUs 01-00-0c-cc-cc-cd
- IPv4 multicast MACs 01-00-5e-00-00-00 to 01-00-5e-fe-ff-ff
- IPv6 multicast MACs 33-33-00-00-00-00 to 33-33-ff-f-ff-ff
- AppleTalk 09-00-07-00-00-00 to 09-00-07-ff-f-ff
- True broadcast destination MAC ff-ff-ff-ff-ff-ff
Transparent mode ASA does not pass CDP packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, it does not pass IS-IS packets.
ARP inspection compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table.
# arp-inspection outside enable [flood | no-flood] allow or restrict unknown ARPs
BRKSEC-3020 and TECSEC-2020 cover ASA in depth.
BRKSEC-3020 Advanced ASA Firewalls
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 105
Intrusion Prevention for L2 Security
The IPS Sensor can pass or drop CDP traffic.
Preventing ARP Spoofing with IPS Atomic.ARP engine.
Thousands of higher OSI layers Attack Signatures exist for both IPv4 and IPv6.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 106
Intrusion Prevention for L2 Security in IPv6 Networks
ICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 107
ERSPAN
IPS with Encapsulated RSPAN (ERSPAN) in virtualized environments
Extends the Local SPAN to send packets outside local host (VEM)
Can be used to monitor the traffic on the Virtual Switch remotely
One or more sources:
Type: Ethernet, Vethernet, Port-Channel, VLAN
Direction: Ingress / Egress / Both
IP based destination
ERSPAN ID provides segmentation
Protocol type header 0x88be for ERSPAN GRE
Management
Console
NAM
ERSPAN DST
ID:1 ID:2
VMkernel
NEXUS 1000v
ESXi VM VM VM VM
BRKSEC-3030 covers Advanced IPS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 108 108
Use multiple, overlapping security mechanisms.
Utilize well-known Cisco Integrated Security Features (CISF).
Secure the Control Plane, Management Plane and Data Plane.
Develop a security strategy for your virtualized environment.
Explore the available IPv6 First-Hop Security Features (FHS).
Defense in depth is the right approach.
Layer-2 Security Summary
BRKSEC-2202
Recommended Reading
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 110
Q&A
Recommended Reading
Please visit the Cisco Store for suitable reading.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 112
Please complete your Session Survey
Don't forget to complete your online session evaluations after each session.
Complete 4 session evaluations & the Overall Conference Evaluation
(available from Thursday) to receive your Cisco Live T-shirt
Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite
which can also be accessed through the screens at the Communication Stations
Or use the Cisco Live Mobile App to complete the
surveys from your phone, download the app at
www.ciscolivelondon.com/connect/mobile/app.html
We value your feedback
http://m.cisco.com/mat/cleu12/
1. Scan the QR code
(Go to http://tinyurl.com/qrmelist for QR code reader
software, alternatively type in the access URL above)
2. Download the app or access the mobile site
3. Log in to complete and submit the evaluations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2202 113
Thank you.