Layer 2 Security - cisco.com · Layer 2 Security Eric Vyncke Distinguished Consulting Engineer. ......

© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1Cisco Public

Layer 2 Security

Eric Vyncke

Distinguished Consulting Engineer

© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSEC-206 2

Caveats

All attacks and mitigation techniques assume a switched Ethernetnetwork running IPv4

All testing was done on Cisco Ethernet SwitchesEthernet switching attack resilience varies widely from vendor to vendor

This is not a comprehensive talk on configuring Ethernet switches for security or NAC or IEEE 802.1x:

the focus is mostly access L2 attacks and their mitigation


Agenda

Layer 2 Attack Landscape

Attacks and Counter MeasuresMAC AttacksDHCP AttacksARP AttacksSpoofing AttacksGeneral Attacks

Summary


OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other

Why Worry About Layer 2 Security?

Host BHost A

MAC Addresses

Application Stream Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical Physical Links

IP Addresses

Protocols/Ports


Lower Levels Affect Higher LevelsUnfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problemSecurity is only as strong as the weakest linkWhen it comes to networking, layer 2 can be a very weak link

MAC Addresses

Application Stream Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

Com

prom

ised

Initial Compromise

POP3, IMAP, IM, SSL, SSH

Physical Links

IP Addresses

Protocols/Ports


NetOPS/SecOPS, Whose Problem Is It?Most NetOPS Most SecOPSQuestions:

What is your stance on L2 security issues?

Do you use VLANsoften?

Do you ever put different security levels on the same switch using VLANs?

What is the process for allocating addresses for segments?

• I handle security issues at L3 and above

• I have no idea if we are using VLANs

• Why would I care what the networkguy does withthe switch?

• I ask NetOPs for a segment, they give me ports and addresses

• There are L2 security issues?

• I use VLANs all the time

• Routing in and out of the same switch is OK by me! That’s what VLANs are for

• The security guy asks me for a new segment, I create a VLAN and assign him an address space


Agenda



Summary


CAM Table Review

CAM table stands for Content Addressable Memory

The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN parameters

CAM tables have a fixed size


Normal CAM Behavior 1/3

MAC A

MAC B

MAC C

Port 1

Port 2

Port 3

MAC PortA 1

C 3

ARP for BARP for B

ARP for B

B Is Unknown—Flood the Frame



MAC APort 1

Port 2

Port 3

A Is on Port 1Learn:

B Is on Port 2

I Am M

AC B

I Am MAC B

B 2

MAC PortA 1

C 3 MAC B

MAC C



MAC APort 1

Port 2

Port 3

Traffic A B

B Is on Port 2

Traffic

A

BMAC B

MAC C

MAC PortA 1B 2C 3

Does Not See Traffic to B


CAM Overflow 1/2

Macof tool since 1999About 100 lines of perlIncluded in “dsniff”

Attack successful by exploiting the size limit on CAM tables

Yersinia—Flavor of the month attack tool


CAM Overflow 2/2

I Am MAC Y

MAC APort 1

Port 2

Port 3

Y Is on Port 3

Z Is on Port 3

Traffic A B

I See Traffic to B!

Assume CAM Table Now Full

I Am MAC Z

Traffic A B

Traffic

A

BMAC B

MAC C

MAC PortA 1B 2C 3

Y 3Z 3


CAM Table Full

Once the CAM table is full, traffic without a CAM entry is flooded out every port on that VLAN

but NOT traffic with an existing CAM entry

This will turn a VLAN on a switch basicallyinto a hubThis attack will also fill the CAM tables of adjacent switchesBTW Cisco switches never overwrites an existing entry

Idle entries are removed10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.1, 10.1.1.1 ?10.1.1.22 -> (broadcast) ARP C Who is 10.1.1.19, 10.1.1.19 ?10.1.1.26 -> 10.1.1.25 ICMP Echo request (ID: 256 Sequence number: 7424) OOPS10.1.1.25 -> 10.1.1.26 ICMP Echo reply (ID: 256 Sequence number: 7424) OOPS


Port Security Limits the Amount of MAC’s on an Interface

Countermeasures for MAC Attacks

Port security limits MAC flooding attack and locks down port and sends an SNMP trap

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb

132,000 Bogus MACs

Only One MAC Addresses

Allowed on the Port: Shutdown

Solution:


Building the Layers

Port Security preventsCAM attacks and DHCP starvation attacks

Port Security


Agenda



Summary


DHCP: quick overview

DHCP Defined by RFC 2131

DHCP Server

Client

DHCP Discover (Broadcast)

DHCP Request (Broadcast)

DHCP Ack (Unicast)

DHCP Offer (Unicast) IP Address: 10.10.10.101Default Routers: 10.10.10.1DNS Servers: 192.168.10.4,

192.168.10.5


DHCP Attack TypesDHCP Starvation Attack

Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scopeThis is a Denial of Service DoS attack using DHCP leases

DHCP Discovery) x (Size of Scope)

DHCP Offer x (Size of DHCPScope)

DHCP Request x (Size of Scope)

DHCP Ack x (Size of Scope)

Client

Gobbler DHCPServer

Denial of Service


Countermeasures for DHCP AttacksDHCP Starvation Attack = Port Security

Gobbler uses a new MAC address to request a new DHCP leaseRestrict the number of MAC addresses on an port with port securityElse use option 82option 82 of DHCP

DHCP server can track which port has already got one IP address

Client

Gobbler DHCPServer


DHCP Attack TypesRogue DHCP Server Attack

Client

DHCPServerRogue Server

DHCP Discovery (Broadcast)

2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine)

DHCP Request (Broadcast) to 1st offer

DHCP Ack (Unicast) from Rogue Sever

Vlan 5

Vlan 5

Vlan 165


DHCP Attack TypesRogue DHCP Server Attack

What can the attacker do if he is the DHCP server?IP Address: 10.10.10.101

Subnet Mask: 255.255.255.0Default Routers: 10.10.10.1

DNS Servers: 192.168.10.4, 192.168.10.5Lease Time: 10 days

Here is Your Configuration

What do you see as a potential problem with incorrect information?

Wrong Default Gateway—Attacker is the gateway

Wrong DNS server—Attacker is DNS server

Wrong IP Address—Attacker does DOS with incorrect IP


Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping

By default all ports in the VLAN are untrusted

Client


Trusted

Untrusted

Untrusted

DHCP Snooping Enabled

DHCP Snooping Untrusted Client

Interface Commandsno ip dhcp snooping trust (Default)ip dhcp snooping limit rate 10 (pps)

IOSGlobal Commandsip dhcp snooping vlan 4,104no ip dhcp snooping information optionip dhcp snooping

DHCP Snooping Trusted Serveror Uplink

OK DHCP Responses:

offer, ack, nak

Interface Commandsip dhcp snooping trust

BAD DHCP Responses:

offer, ack, nak


Countermeasures for DHCP AttacksRogue DHCP Server = DHCP Snooping

Table is built by “Snooping” the DHCP reply to the client

Entries stay in table until DHCP lease time expires

Client


Trusted

Untrusted

Untrusted

DHCP Snooping Enabled

BAD DHCP Responses:

offer, ack, nak

OK DHCP Responses:

offer, ack, nak

DHCP Snooping Binding Tablesh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18


DHCPSnooping

Building the Layers

Port security preventsCAM attacks and DHCP starvation attacks

DHCP snooping prevents rogue DHCP server attacks Port Security


Agenda



Summary


ARP Function Review

Before a station can talk to another station it must do an ARP request to map the IP address to the MAC addressAll computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply

Who Is 10.1.1.4?

I Am 10.1.1.4MAC A


ARP Function Review

According to the ARP RFC, a client is allowed to send an unsolicited ARPunsolicited ARP reply; this is called a gratuitous gratuitous ARPARP; other hosts on the same subnet can store this information in their ARP tablesAnyone can claim to be the owner of any IP/MAC address they likeARP attacks use this to redirect traffic

I Am 10.1.1.1MAC A

You Are 10.1.1.1MAC A




ARP Attack in Action

Attacker “poisons”the ARP tables

10.1.1.1MAC A

10.1.1.2MAC B

10.1.1.3MAC C

10.1.1.2 Is Now MAC C


ARP 10.1.1.1 Saying

10.1.1.2 is MAC CARP 10.1.1.2

Saying 10.1.1.1 is MAC C


ARP Attack in Action

All traffic flowsthrough the attacker

10.1.1.1MAC A

10.1.1.2MAC B

10.1.1.3MAC C



Transmit/Receive Traffic to

10.1.1.2 is MAC CTransmit/Receive

Traffic to10.1.1.1 is MAC C


Is This Is My Binding Table?NO!None

Matching ARP’s in the Bit Bucket

Countermeasures to ARP Attacks: Dynamic ARP Inspection

Uses the DHCP Snooping Binding table informationDynamic ARP Inspection

All ARP packets must match the IP/MAC Binding table entriesIf the entries do not match, throw them in the bit bucket

10.1.1.1MAC A

10.1.1.2MAC B

10.1.1.3MAC C

ARP 10.1.1.1 Saying

10.1.1.2 is MAC C

ARP 10.1.1.2 Saying

10.1.1.1 is MAC C

DHCP Snooping Enabled Dynamic ARP Inspection Enabled


Countermeasures to ARP Attacks: Dynamic ARP Inspection

Uses the information from the DHCP snooping binding table

Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, it not, traffic is blocked

sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/1800:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21


Dynamic ARPInspection

Building the Layers

Port security prevents CAM attacks and DHCPstarvation attacks

DHCP snooping prevents rogue DHCP server attacks

Dynamic ARP inspection prevents current ARP attacks

DHCPSnooping

Port Security


Agenda



Summary


Spoofing Attacks

MAC spoofing If MACs are used for network access an attacker can gain access to the networkAlso can be used to take over someone’s identity already on the network

IP spoofingPing of deathICMP unreachable stormSYN floodTrusted IP addresses can be spoofed


Is This Is My Binding Table?NO!

Non Matching Traffic

Dropped

Countermeasures to Spoofing Attacks:IP Source Guard

Uses the DHCP snooping binding table information

IP source guardOperates just like dynamic ARP inspection, but looks at every packet, not just ARP packet

10.1.1.1MAC A

10.1.1.2MAC B

10.1.1.3MAC C

Received Traffic Source IP 10.1.1.2Mac B

Traffic Sent withIP 10.1.1.3

Mac B

Traffic Sent with IP 10.1.1.2

Mac C

DHCP Snooping Enabled Dynamic ARP Inspection Enabled IP Source Guard Enabled


Countermeasures to Spoofing Attacks:IP Source Guard

Uses the information from the DHCP Snooping Binding table

Looks at the MacAddress and IpAddress fields to see if the traffic from the interface is in the binding table, it not, traffic is blocked

sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- --------------------00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/1800:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21


IP SourceGuard

Building the Layers

Port security preventsCAM attacks and DHCP starvation attacks

DHCP snooping prevents rogue DHCP server attacks

Dynamic ARPinspection preventscurrent ARP attacks

IP source guard prevents IP/MAC spoofing

Dynamic ARPInspection

DHCPSnooping

Port Security


Agenda



Summary


Spanning Tree Basics

STP Purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure

STP is very simple; messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most haveno “payload”

Avoiding loops ensures broadcast traffic does not become storms

A ‘Tree-Like’Loop-Free Topology Is Established from the

Perspective of the Root Bridge

A Switch Is Elected as Root

Root Selection Is Based on the Lowest Configured Priority of Any Switch 0–65535

X

Root


Spanning Tree Attack Example

Send BPDU messagesto become root bridge

Access SwitchesRootRootRoot

XSTP

STP

Blocked


Spanning Tree Attack Example

Send BPDU messages to become root bridgeThe attacker then sees frames he shouldn’t

MITM, DoS, etc. all possibleAlthough STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches

Access SwitchesRootRoot

Root

XBlocked


STP Attack Mitigation

Try to design loop-free topologies where ever possible, so you do not need STP

Don’t disable STP, introducing a loop would become another attack

Except in loop-free topologies (like layer 3 at access switch)

BPDU guard

Should be run on all user facing ports and infrastructure facingports

Disables ports using portfast upon detection of a BPDU message on the port


Cisco Discovery Protocol

Useful protocol but could lead to information leakage

Enabled:Enabled: in the coreDisabled:Disabled: on host facing interface (except phones)

There was a DoS attack against CDP but it has been fixed for years


Basic Trunk Port Defined

Trunk ports have access to all VLANS by default

Used to route traffic for multiple VLANS across the same physical link (generally between switches or phones)

Encapsulation can be 802.1q or ISL

VLAN 10

VLAN 20

Trunk with:Native VLAN

VLAN 10VLAN 20

VLAN 20

VLAN 10


Dynamic Trunk Protocol (DTP)

What is DTP?Automates 802.1x/ISL trunk configurationOperates between switches (Cisco IP phone is a switch)Does not operate on routersSupport varies, check your device

DTP synchronizes the trunking mode on end links

DTP state on 802.1q/ISL trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non-Negotiate”

DynamicTrunk

Protocol


Basic VLAN Hopping Attack

An end station can spoof as a switch with ISL or 802.1q

The station is then a member of all VLANs

VLAN 10

Trunk with:Native VLAN

VLAN 10VLAN 20

VLAN 20

VLAN 10

Trunk With:Native VLAN

VLAN 10VLAN 20


Double 802.1q Encapsulation VLAN Hopping Attack

Send 802.1q double encapsulated frames

Switch performs only one level of decapsulation

Unidirectional traffic only

Works even if trunk ports are set to off

802.1q,802.1q

Strip Off First, and Send Back Out

802.1q FrameFrame

Note: Only Works if Trunk Has the Same VLAN as the Attacker


Security Best Practices for VLANsand Trunking

Always use a dedicated VLAN ID for all trunk ports

Disable unused ports and put them in an unused VLAN

Be paranoid: Do not use VLAN 1 for anything

Disable auto-trunking on user facing ports (DTP off)

Explicitly configure trunking on infrastructure ports

Use all tagged mode for the native VLAN on trunks

Use PC voice VLAN Access on phones thatsupport it


VLAN Hopping

Attacker sends frames to another VLANBut is unable to receive back traffic

Counter MeasuresCounter MeasuresDisable trunking on all host ports (except phones)Never use VLAN 1 anywhereSpecific VLAN for trunk native VLANDisable VLAN tag on access portsEnforce VLAN tag on trunk ports


Control Plane Protection

Even on HW switches, some frames always go to main CPUARPPackets addressed to the switch: OSPF, ICMP, BPDU

DoSDoS happens when too many packets go to the CPU100% of CPU => loss of adjacencies, no more ARP, ...

Use control plane policingcontrol plane policingRate limit those packets, done in HW and transparently in most switches


Switch Management

Management can be your weakest linkAll the great mitigation techniques we talked about aren’t worth much if the attacker telnets into your switch and disables them

Most of the network management protocols we know and love are insecure (syslog, SNMP, TFTP, Telnet, FTP, etc.)Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.), where impossible, consider Out- of-Band (OOB) management

Put the management VLAN into a dedicated non-standard VLAN where nothing but management traffic residesConsider physically back-hauling this interface to your management network

When OOB management is not possible, at least limit access to the management protocols using the “set ip permit” lists on the management protocolsSSH is available on Catalyst 6K with Catalyst OS 6.1 and Catalyst 4K/29XXG with Catalyst OS 6.3; 3550 in 12.1(11)EA1; 2950 in 12.1(12c)EA1; Cisco IOS 6K 12.1(5c)E12; IOS 4K in 12.1(13)EW


Summary


Matrix for Security Features 1 of 3

12.1(19)EW**

N/A12.2(18)SXD28.3(1)*IP Source Guard

DAI

DHCP Snooping

Dynamic Port Security

Feature/ Platform

8.3(1)

8.3(1)

7.6(1)

6500/Catalyst OS

12.2(18)SXE*

12.2(18)SXE*

12.1(13)E

6500/Cisco IOS

12.1(19)EW**

N/A

12.1(12c)EW**

N/A

12.1(13)EW5.1(1)

4500/Cisco IOS4500/Catalyst OS

* Requires Sup720—Support for Sup32 DHCP Snooping and DAI Q3CY05** For the Catalyst 4500/IOS-Based Platforms, This Requires Sup2+, Sup3, Sup4, Sup 5. These Sups Are Supported on the Catalyst 4006, 4503, 4506, and 4507R ChassisNOTE: There Are No Plans to Support These Features for any Catalyst 4000/4500 Platform Running Catos, or Any 2900 Platform

For yourreference



N/AN/AN/A12.2(25)SEA12.2(25)SEIP Source Guard

DAI

DHCP Snooping


Feature/ Platform

N/A

N/A

12.0(5.2)WC1

2950 SI

N/AN/A12.2(25)SEA12.2(25)SE

12.1(19)EA112.1(19)EA112.2(25)SEA12.1(25)SE

12.0(5.2)WC112.1(11)AX12.2(25)SEA12.1(25)SE

2950 EI2970 EI3550 EMI3750/3560 EMI

Note: Old Names of the Cisco IOS for the 3000 Series Switches CiscoIOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

For yourreference



12.2(25)SEA12.1(25)SE12.2(25)SEA12.2(25)SEIP Source Guard

DAI

DHCP Snooping


Feature/ Platform

12.2(25)SEA12.1(25)SE12.2(25)SEA12.2(25)SE

12.2(25)SEA12.1(25)SE12.2(25)SEA12.1(25)SE

12.2(25)SEA12.1(25)SE12.2(25)SEA12.1(25)SE

3550IP Base

3750/3560IP Base

3550 Advanced IP

3750/3560Advance IP

Note: Old Names of the Cisco IOS for the 3000 Series Switches CiscoIOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

For yourreference


Conclusion

Layer 2 is not only dumb pipes

You need to secure those pipes

Easy and freePort securityDHCP snoopingARP inspectionSource GuardBPDU Guard

IP SourceGuard

Dynamic ARP

InspectionDHCP

Snooping

Port Security


Q & A


Date post:	24-Jul-2018
Category:	Documents
Upload:	phungdung
View:	221 times
Download:	0 times

Layer 2 Security - cisco.com · Layer 2 Security Eric Vyncke Distinguished Consulting Engineer. ......

Documents