dont get caught with your layers down

Don't Get Caught with Your

Layers Down

With

Steve Jaworski

Bryan Young

© Steve Jaworski, Bryan Young

2010

Agenda

• Discuss Common Layer 2 and Layer 3

– Attacks

– Tools

– Protection

• Questions you should be asking your

vendors

• Bryan vs Steve (Points of View)


2010

L2 Discovery Protocols

• Proprietary

– CDP Cisco

– FDP Foundry/Brocade

– LLTP Microsoft – Vista, Win 7

• Open Standard

– LLDP Link Layer Discovery Protocol


2010

L2 Examples

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater

(*) indicates a CDP device

Device ID Local Int Holdtm Capability Platform Port ID

-------------- ------------ ------ ---------- ----------- -------------

Head ethernet1/1 141 Router Router 1 ethernet3/3

Head ethernet1/2 141 Router Router 1 ethernet3/4

Building A ethernet1/3 120 Switch Switch ethernet49

Building B ethernet1/4 165 Switch Switch ethernet49

Building C ethernet1/5 170 Switch Switch ethernet49

Building D ethernet1/6 144 Router Router 2 ethernet1

Building E ethernet1/7 157 Switch Switch ethernet0/1/47

Building F ethernet1/8 180 Switch Switch ethernet49

Building G ethernet1/9 168 Switch Switch ethernet49

Building H ethernet1/10 127 Switch Switch ethernet49


2010

L2 Discovery Attacks

• Yersinia Framework (http://www.yersinia.net/)

– Supports Cisco Discovery Protocol• Sending RAW CDP Packet

• DoS Flooding CDP Neighbors Table

• Setting up a “Virtual Device”

• IRPAS (http://www.phenoelit-us.org/fr/tools.html)

– DoS Attack

– Spoof Attack

– VLAN Assignment

– DHCP Assignment

– 802.1Q VLAN Assignment


2010

L2 Discovery Protocols Protection

• Turn off on user edge ports

– interface GigabitEthernet1/1

– ip address 192.168.100.1 255.255.255.0

– no cdp enable

• Where should I enable

– May be necessary evil for VoIP

– Bryan vs Steve


2010

L2 Discovery Design


2010

Ask Your Vendors

• Ability to turn off discovery protocols

• Understand all features of proprietary

protocols


2010

VLAN 802.1Q

• Does a VLAN provide security?

– Bryan vs Steve

• Great for segmenting broadcast domains

• Organize your hosts

• Finding points of origin


2010

VLAN 802.1Q Design


2010

VLAN Attacks

• Switch Spoofing

• Double Hopping

• Yersinia Framework– Supports VLAN Trunking Protocol

• Sending Raw VTP Packet (Cisco)

• Deleting ALL VLANS

• Deleting Selected VLAN

• Adding One VLAN

• Catalyst Crash

– Supports Standard 802.1Q• Sending RAW 802.1Q packet

• Sending double encapsulated 802.1Q packet

• Sending 802.1Q ARP Poisoning (MITM)


2010

VLAN Protection

• No tagged frames on edge ports

• Use tagged frames when necessary (VoIP)

– Lock Down VoIP VLAN

• Locked down routing between VLANS

• Turn off VTP (Cisco) manually setup VLANs

• Multi-Device Port Authentication

• Specify uplink ports (limits broadcasts and

unknown unicasts)


2010

Ask Your Vendors


• Dynamic VLAN Assignment


2010

Private VLAN

• Limits communication between hosts at

layer 2


2010

Private VLAN Design


2010

Private VLAN Attacks

• Hosts can still communicate at Layer 3

• Community

– Still have a broadcast domain

• ARP Spoofing

• 802.1Q Attacks

• Isolated

– 802.1Q Attacks


2010

Private VLAN Protection

• ACL at Layer 3

• Avoid community setup


2010

Ask Your Vendors

• Community and isolated VLANS

• Ask for isolated


2010

Spanning Tree

• Prevents bridge loops

• Provides redundancy in Layer 2 topologies

• STP and RSTP


2010

Spanning Tree Design


2010

Spanning Tree Attack

• Man in the Middle

• Flooding the BPDU Table

– Bridge Protocol Data Unit

• Insert device claiming it’s the root bridge

• Claiming other roles on the network


2010

Spanning Tree Protection

• Assign BPDU Guard

– Setup edge ports to ignore BPDUs

– Port Disabled if BPDUs are received

• Assign Root Guard

– Set one switch as always root

– Port disabled if lower cost received.


2010

Ask Your Vendors

• BPDU Guard

• Root Guard

• Handling of all “0” BPDU


2010

ACL’S

• We all know what they are

– Standard • access-list 35 deny host 124.107.140.182 log

• access-list 35 deny host 91.19.35.246 log




2010

ACL’S (cont)

– Extended• 150 permit tcp 192.168.0.0 0.0.255.255 host 192.16.0.25 eq http

• 150 permit tcp 192.168.0.0 0.0.255.255 host 192.16.0.25 eq ssl

• 150 permit tcp 192.168.0.0 0.0.255.255 host 192.16.0.25 eq dns

• 150 permit udp 192.168.0.0 0.0.255.255 host 192.16.0.25 eq dns

– Some Filter Options

– QoS

– Fragments and Offsets

– Packet Length

– ToS


2010

ACL Attacks

• Stateless

• Encapsulate your packets

• Fragment overlap ACL bypass

• DoS attacking closed IPs and port

– CPU vs ASIC routers


2010

ACL Protection

• Use them for what they are meant

• IP Spoofing

• IP to IP

• Not meant for application inspection

• Established

• Strict filtering


2010

802.1X

• Port Based Access Control

• IEEE Standard


2010

802.1x Attacks

• Dictionary attack based on authentication

used (LEAP, PEAP)

• Rogue authentication server

– Capture NTLM authentication request

• Yersinia Framework

– Supports 802.1x Wired Authentication

• Sending RAW 802.1X packet

• MITM 802.1X with 2 interfaces


2010

802.1x Protection

• Set authentication failure limits

• Client needs to verify certificates

• Move to certificate per host (EAP-TLS)



2010

Multi-Port Authentication


2010

Ask Your Vendors

• Username/Password and MAC/Password

authentication

• Avoid MAC/MAC authentication

• Are VSA’s required?

• Will RADIUS server support VSA’s & EAP

• Dynamic VLAN assignment

• Dynamic ACL assignment


2010

MAC Address

• The 48 bit address

– 12:45:AC:65:79:0F

• Unique ID to every network interface


2010

MAC Attacks

• Easy to spoof

• MAC address also password for RADIUS

authentication, can possibly authenticate

as user or device

• Flood MAC table of switch


2010

MAC Protection

• MAC address should not be password for

network authentication

– Network Device sends password.

• Limit MAC table

• Limit amounts MAC addresses per port

• Layer 2 ACL. Filter MAC by OUI

– Organizationally Unique Identifier

• Don’t rely on MAC address authentication


2010

ARP

• IP to MAC address

• Allows for “host to host” communication on

a network device without going through

the gateway.


2010

ARP Attacks

• ARP Poisoning/Spoofing


2010

ARP Router Table

IP Address MAC Address Type Age Port Status

192.168.1.2 00bo.6898.a5af Dynamic 2 0/1/1 Valid 2












2010

ARP Attack Tools

• Ettercap

• Cain and Abel

• Arpspoof (dsniff)


2010

ARP Protection

• Dynamic ARP Inspection

• Static ARP Table

• Endpoint software


2010

Ask Your Vendors

• Dynamic ARP Inspection (DAI)

• IDS on the desktop

– Endpoint software


2010

Routing

• Static or Protocol

• Interior Routing Protocols

– RIP, RIPv2

– OSPF V2, V3

– IGRP, EIGRP (proprietary)


2010

Routing Attack

• MD5 authentication hash easily cracked

– http://gdataonline.com/seekhash.php• Contains over 1 billion hashes, and is free!

• Source routing

• Inject static routes


– Supports Hot Standby Router Protocol• Becoming active router

• Becoming active router (MITM)


2010

http://gdataonline.com/seekhash.php

Routing Protection

• Make sure IP source routing is off.

• Use routing protocol that requires

authentication (different keys between

routers)

• Encapsulate routing protocol in IPsec

• Use static routes where necessary

– Limit propagation of static routes


2010

Routing Protection (cont)

• Suppress routing announcements

• Route to null if appropriate and log

• Be good net neighbor, only let your IP’s

out

• Limit global routes

– Don’t route to 10.0.0.0/8 when you can use

more specific routes


2010

Ask Your Vendors

• Encapsulate routing protocols in IPSec

• Support for authenticated routing protocols


2010

Dynamic Host Configuration

Protocol

• Assign hosts IP addresses

• Assigns DNS and routing info


2010

DHCP Attack


– Supports all DHCP standards

• Sending RAW DHCP packet

• DoS sending DISCOVER packet (exhausting ip

pool)

• Setting up rogue DHCP server

• DoS sending RELEASE packet (releasing

assigned IP)

• Spoofed/Fake DHCP Server


2010

DHCP Protection

• DHCP Snooping

– No static assigned IP address

• IP Source Guard

– Only let DHCP packets from trusted ports


2010

IP Source Guard


2010

Ask Your Vendors

• DHCP Snooping

• IP Source Guard


2010

Packet Control

• SYN per second

• RST per second

• Broadcasts per second


2010

Refresh

• Limit L2 discovery protocols

• Spanning-Tree protection

– Root/BPDU Guard

• Anti-Spoofing ACL’s

• Routing

– Restrict routing updates, authenticate,

encrypt, no source, use null


2010

Refresh (cont)

• MAC address restrictions

• Turn off routing between subnets/VLANs

• DHCP Snooping/IP Source Guard

• Limit TCP SYNs, RSTs, Broadcasts


2010

Thank You

• Questions

• Comments

• Thanks to Sippleware for QA


2010

dont get caught with your layers down

Technology