mitigating layer 2 attacks securing layer 2 access
Post on 01-Apr-2015
237 Views
Preview:
TRANSCRIPT
Mitigating Layer 2 Attacks
Securing Layer 2 Access
Layer 2 Security Issues
Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer.
Many security features are available for switches and routers, but they must be enabled to be effective.
However, as with access control lists (ACL) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.
Security Infrastructure Services
Access
Distribution
Core
Server Farm
•Use switchport security to control access to the network.
•Use ACLs to provide security and filtering.
•Do not perform security operations – increases performance
•Use private VLANs, IPS, logging and ACLs
Layer 2 Malicious Attacks
Layer 2 malicious attacks are typically launched by a device connected to the campus network. This can be a physical rogue device placed on the network or an external intrusion that takes control of and launches attacks from a trusted device.
In either case, the network sees all traffic as originating from a legitimate connected device.
The following lists the types of attacks launched against switches and Layer 2:
1. MAC layer attacks (e.g. MAC address flooding). 2. VLAN attacks (e.g. VLAN hopping).3. Spoof attacks (e.g. DHCP, MAC & ARP spoofing).4. Switch device attacks (e.g. CDP manipulation,
Telnet attacks).
MAC Flood Attack
•To mitigate against MAC flooding, port security is configured to define the number of MAC addresses that are allowed on a given port. •Port security can also specify which MAC address is allowed on a given port.
Switch Configuration – Port Security
•To limit the number of addresses that can be learned on an interface switches provide a feature called port security.
•The number of MAC addresses per port can be limited to 1.
•Secure addresses can be assigned statically or dynamically learned by the switch.S1(config)#interface fa0/1
S1(config-if)# switchport port-security ?
aging Port-security aging commandsmac-address secure mac addressmaximum max secure addrsviolation security violation mode
Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.
Switch Configuration – Port Security
Port Security: Violation
By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions:
Protect: Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent.
Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.
Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off.
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
Switch Configuration – Port Security
DLS1(config)# interface FastEthernet 0/1 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address 0000.0000.0008 DLS1(config-if)# switchport port-security maximum 1 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation restrict DLS1(config-if)# switchport block unicast
DLS1(config)# interface FastEthernet 0/2 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address sticky DLS1(config-if)# switchport port-security maximum 2 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation shutdown
Fa0/1 Fa0/2
DLS1 PC1Server
Verify Port Security
DLS1# show running-config fastethernet 0/2interface FastEthernet0/1
switchport access vlan 2
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation shutdown
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001b.d513.2ad2
DLS1# show port-security address Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- --- ----- -------------
2 001b.d513.2ad2 SecureSticky Fa0/2 -
VLAN Hopping – Switch Spoofing
802.1q Native VLAN 1
VLAN 20
VLAN 10
VLAN 20
VLAN 20
802.1q Native VLAN 1VLANS 10 & 20
•In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with DTP negotiations, to establish a trunk connection to the switch. •By default, a trunk connection provides an attacker with access to all VLANs in the network.
S1 S2
Trunk
TrunkAttacker
VLAN Hopping – Double Tagging
Data VLAN20 VLAN10
802.1q Native VLAN 10
VLAN 10
Data VLAN20
Data
VLAN 10
VLAN 10
VLAN 20
1. Attacker sends a double-tagged broadcast packet into the local access-LAN.
2. Switch 1 forwards this across the trunk, removing the first tag, as it matches the native VLAN.
3. Switch 2 receives the packet, and forwards it into VLAN 20.
S1 S2
Access Port Trunk
Mitigating VLAN HoppingSwitch Spoofing:
Configure all unused ports as access ports so that trunking cannot be negotiated across those links. Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic. • Switch Spoofing:• Configure the native VLAN with an unused VLAN, which can then
be pruned off the trunk:
S1(conf)#vlan 800
S1(conf-vlan)# name bogus_native
S1(conf)#int fa0/1
S1(conf-if)#switchport trunk encap dot1q
S1(conf-if)#switchport trunk native vlan 800
S1(conf-if)#switchport trunk allowed vlan remove 800
S1(conf-if)# Switchport mode trunk
VLAN Access Control Lists Router access control list (RACL): Applied to Layer 3 interfaces such
as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction.
Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port.
VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).
VACL Configuration
Computer
Computer
Server192.168.10.10/24VLAN 10
Host 1192.168.10.20/24VLAN 10
Host 2192.168.20.20/24VLAN 20
Deny all traffic from VLAN 20 reaching the VLAN 10 server
DLS1
1.Create ACL to define traffic to block:DLS1(config)#ip access-list extended DENY_SERVERDLS1(conf-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 host 192.168.10.10
2. Create VLAN map to block and forward traffic:DLS1(config)# vlan access-map DENY_MAP 10DLS1(config-access-map)#match ip address DENY_SERVERDLS1(config-access-map)#action dropDLS1(config-access-map)#exitDLS1(config)#vlan access-map DENY_MAP 20DLS1(config-access-map)#action forward
3. Apply VLAN map to VLAN 10DLS1(config)#vlan filter DENY_MAP vlan-list 10
top related