Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Layer 2 Attacks

Similar presentations


Presentation on theme: "Mitigating Layer 2 Attacks"— Presentation transcript:

1 Mitigating Layer 2 Attacks
Securing Layer 2 Access Mitigating Layer 2 Attacks

2 Layer 2 Security Issues Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer. Many security features are available for switches and routers, but they must be enabled to be effective. However, as with access control lists (ACL) for upper- layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations. Much industry attention surrounds security attacks from outside the walls of an organization and at the upper Open Systems Interconnection (OSI) layers. Network security often focuses on edge routing devices and the filtering of packets based on Layer 3 and Layer 4 headers, ports, stateful packet inspection, and so forth. This includes all issues surrounding Layer 3 and above, as traffic makes its way into the campus network from the Internet. Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer. The default state of networking equipment highlights this focus on external protection and internal open communication. Firewalls, placed at the organizational borders, arrive in a secure operational mode and do not enable communication until configured to do so. Routers and switches that are internal to an organization and designed to accommodate communication, delivering needful campus traffic, have a default operational mode that forwards all traffic unless configured otherwise. Their function as devices that facilitate communication often results in minimal security configuration and renders them targets for malicious attacks. If an attack is launched at Layer 2 on an internal campus device, the rest of the network can be quickly compromised, often without detection. Also, non-malicious user intentions can also result in network disruption. Activities such as a user plugging in a switch or a hub causing to a data port or configuring their laptop as a DHCP server although not malicious intended, nevertheless can still result in network disruptions. Many security features are available for switches and routers, but they must be enabled to be effective. As with Layer 3, where security had to be tightened on devices within the campus as malicious activity that compromised this layer increased; now security measures must be taken to guard against malicious activity at Layer 2. A new security focus centres on attacks launched by maliciously leveraging normal Layer 2 switch operations. Security features exist to protect switches and Layer 2 operations. However, as with access control lists (ACL) for upper-layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.

3 Security Infrastructure Services
Use private VLANs, IPS, logging and ACLs Server Farm Do not perform security operations – increases performance Core The following are some recommended-practice security considerations for each module: The campus core layer in the campus infrastructure module switches packets as quickly as possible. It should not perform any security functions because these would slow down packet switching. The building distribution layer performs packet filtering to keep unnecessary traffic from the campus core layer. Packet filtering at the building distribution layer is a security function because it prevents some unwanted access to other modules. Given that switches in this layer are usually Layer 3-aware multilayer switches, the building distribution layer is often the first location that can filter based on network layer information. At the building access layer, access can be controlled at the port level with respect to the data link layer information (for example, MAC addresses). The server farm module provides application services to end users and devices. Given the high degree of access that most employees have to these servers, they often become the primary target of internally originated attacks. Use host- and network-based intrusion prevention systems (IPS), private VLANs, and access control to provide a more comprehensive response to attacks. Onboard IDS within multilayer switches can inspect traffic flows on the server farm module. The server farm module typically includes a network management system that securely manages all devices and hosts within the enterprise architecture. Syslog provides important information regarding security violations and configuration changes by logging security-related events (authentication and so on). Other servers including an authentication, authorization, and accounting (AAA) security server can work in combination with the one-time password (OTP) server to provide a high level of security to all local and remote users. AAA and OTP authentication reduce the likelihood of a successful password attack. Use ACLs to provide security and filtering. Distribution Use switchport security to control access to the network. Access

4 Layer 2 Malicious Attacks
Layer 2 malicious attacks are typically launched by a device connected to the campus network. This can be a physical rogue device placed on the network or an external intrusion that takes control of and launches attacks from a trusted device. In either case, the network sees all traffic as originating from a legitimate connected device. The following lists the types of attacks launched against switches and Layer 2: MAC layer attacks (e.g. MAC address flooding). VLAN attacks (e.g. VLAN hopping). Spoof attacks (e.g. DHCP, MAC & ARP spoofing). Switch device attacks  (e.g. CDP manipulation, Telnet attacks).     Rogue access comes in several forms. For example, because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Malicious rogue access points, although much less common than employee-installed rogue access points, are also a security concern. These rogue access points create an unsecured wireless LAN connection that puts the entire wired network at risk. Malicious rogues present an even greater risk and challenge because they are intentionally hidden from physical and network view by not broadcasting the SSID. To mitigate Spanning Tree Protocol (STP) manipulation, use the root guard and the BPDU guard enhancement commands to enforce the placement of the root bridge in the network and to enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root bridge placement in the network. The STP bridge protocol data unit (BPDU) guard is designed to enable network designers to keep the active network topology predictable. Although the BPDU guard might seem unnecessary, given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge because there might be a bridge with priority zero and a lower bridge ID. A BPDU guard is best deployed toward user-facing ports to prevent unauthorized switches from being attached to the network by an attacker.

5 MAC Flood Attack A common Layer 2 or switch attack is MAC flooding, which causes a switch’s CAM table to overflow, resulting in flooding regular data frames out all switch ports. This attack can be launched to collect a broad sample of traffic or as a denial of service (DoS) attack. A switch’s CAM tables are limited and, therefore, can contain only a limited number of entries at any one time. A network intruder can maliciously flood a switch with a large number of frames from a range of invalid source MAC addresses. If enough new entries are made before old ones expire, new valid entries are not accepted. Then, when traffic arrives at the switch for a legitimate device that is located on one of the switch ports that was not able to create a CAM table entry, the switch must flood frames to that address out all ports. This has two adverse effects: Switch traffic forwarding is inefficient and voluminous. An intruding device can be connected to any switch port and capture traffic not normally seen on that port. If the attack is launched before the beginning of the day, the CAM table in the switches would be full. As the majority of legitimate end devices are powered up, their source MAC addresses would not be entered into the CAM tables. If this represents a large number of network devices, the number of MAC addresses for which traffic will be flooded is high, and switch ports will carry flooded frames from a large number of devices. If the initial flood of invalid CAM table entries is a one-time event, the switch eventually ages out older, invalid CAM table entries, allowing new, legitimate devices to create an entry. Traffic flooding will cease and may never be detected, while the intruder captured a significant amount of data from the network. To mitigate against MAC flooding, port security is configured to define the number of MAC addresses that are allowed on a given port. Port security can also specify which MAC address is allowed on a given port.

6 Switch Configuration – Port Security
To limit the number of addresses that can be learned on an interface switches provide a feature called port security. The number of MAC addresses per port can be limited to 1. Secure addresses can be assigned statically or dynamically learned by the switch. S1(config)#interface fa0/1 S1(config-if)# switchport port-security ? aging Port-security aging commands mac-address secure mac address maximum max secure addrs violation security violation mode Anyone can plug in a PC or laptop into a wall TAP - this is a potential entry point to the network by unauthorised users. Switches provide a feature called port security. It is possible to limit the number of addresses that can be learned on an interface. The switch can be configured to take an action if this is exceeded. Secure MAC addresses can be configured statically. However, it is a complex task to configure secure MAC addresses statically, and is usually prone to error. An alternative approach is to set port security on a switch interface. The number of MAC addresses per port can be limited to 1. The first address dynamically learned by the switch becomes the secure address. To reverse port security on an interface use the no form of the command. The command show port security can be used to verify port security status.

7 Switch Configuration – Port Security
Static secure MAC addresses: MAC addresses are manually configured by using the switchport port- security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

8 Port Security: Violation
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: Protect: Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent. Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent. Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off.

9 Switch Configuration – Port Security
Server DLS1 PC1 Fa0/1 Fa0/2 DLS1(config)# interface FastEthernet 0/1 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address DLS1(config-if)# switchport port-security maximum 1 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation restrict DLS1(config-if)# switchport block unicast DLS1(config)# interface FastEthernet 0/2 DLS1(config-if)# switchport port-security mac-address sticky DLS1(config-if)# switchport port-security maximum 2 DLS1(config-if)# switchport port-security violation shutdown Port security can mitigate spoofing attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short time period but does not limit port access to a specific MAC address. The most restrictive port security implementation would specify the exact MAC address of the single device that is to gain access through each port. Implementing this level of security, however, requires considerable administrative overhead. Port security has a sticky MAC addresses feature that can limit switch port access to a single, specific MAC address without the network administrator having to gather the MAC address of every legitimate device and manually associate it with a particular switch port. When sticky MAC addresses are used, the switch port converts dynamically learned MAC addresses to sticky MAC addresses and subsequently adds them to the running configuration as if they were static entries for a single MAC address to be allowed by port security. Sticky secure MAC addresses will be added to the running configuration but will not become part of the startup configuration file unless the running configuration is copied to the startup configuration after addresses have been learned. If they are saved in the startup configuration, they will not have to be relearned upon switch reboot, and this provides a higher level of network security. Note: The interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface level configuration command that follows converts all dynamic port-security learned MAC addresses to sticky secure MAC addresses. This command cannot be used on ports where voice VLANs are configured. By default, switches flood packets with unknown destination MAC addresses to all ports in the same VLAN as the received port’s VLAN. Some ports do not require flooding. For example, a port that has only manually assigned MAC addresses and that does not have a network device connected to that port other than the configured MAC address does not need to receive flooded packets. In addition, a port security–enabled port with a configured secure MAC address or port does not need to receive unknown unicast flooding if the port has already learned the maximum number of MAC addresses. If the network exhibits asymmetrical routing, excessive unicast flooding can occur and might cause all the devices in that VLAN to suffer as they receive the unneeded traffic. With asymmetrical routing, transmit and receive packets follow different paths between a host and the destination device. The unicast flood-blocking feature prevents the forwarding of unicast flood traffic on unnecessary ports. Restricting the amount of traffic on a per-port basis adds a level of security to the network and prevents network devices from unnecessarily processing nondirected packets. Cisco Catalyst switches can restrict flooding of unknown multicast MAC-addressed traffic on a per-port basis, in addition to restricting flooding of unknown unicast destination MAC addresses. Use the following interface-level command: switchport block {unicast | multicast}

10 switchport mode access
Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security Enables port security on the interface switchport port-security maximum 6 Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5 Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address b Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky Enable dynamic learning of MAC address on the interface. switchport port-security violation shutdown / Restrict / Protect Set the violation mode, the action to be taken when a security violation is detected. Port security can be used to mitigate spoof attacks by limiting access through each switch port to a single MAC address. This prevents intruders from using multiple MAC addresses over a short period of time but does not limit port access to a specific MAC address. The most restrictive port security implementation would specify the exact MAC address of the single device that is to gain access through each port. Implementing this level of security, however, requires considerable administrative overhead. Port security has a feature called “sticky MAC addresses” that can limit switch port access to a single, specific MAC address without the network administrator having to determine the MAC address of every legitimate device and manually associate it with a particular switch port. When sticky MAC addresses are used, the switch port converts dynamically learned MAC addresses to sticky MAC addresses, and adds them to the running configuration as if they were static entries for a single MAC address allowed by port security. Sticky secure MAC addresses are added to the running configuration but do not become part of the startup configuration file, unless the running configuration is copied to the startup configuration after addresses have been learned. If they are saved in the startup configuration, they do not have to be relearned when the switch is rebooted, which provides a higher level of network security. The following command converts all dynamic port security–learned MAC addresses to sticky secure MAC addresses: switchport port-security mac-address sticky This command cannot be used on ports where voice VLANs are configured.   Note: When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The interface adds all the sticky secure MAC addresses to the running configuration.

11 Verify Port Security DLS1# show running-config fastethernet 0/2
interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d513.2ad2 DLS1# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) b.d513.2ad SecureSticky Fa0/

12 VLAN Hopping – Switch Spoofing
Trunk Attacker 802.1q Native VLAN 1 VLANS 10 & 20 Trunk VLAN 20 VLAN 20 802.1q Native VLAN 1 S1 S2 VLAN 10 VLAN 20 In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with DTP negotiations, to establish a trunk connection to the switch. By default, a trunk connection provides an attacker with access to all VLANs in the network. VLAN hopping is a network attack whereby an end system sends packets to, or collects packets from, a VLAN that should not be accessible to that end system. This is accomplished by tagging the invasive traffic with a specific VLAN ID or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be accomplished by switch spoofing or double tagging. In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with Dynamic Trunking Protocol (DTP) negotiations, to establish a trunk connection to the switch. Any switch port configured as DTP auto may become a trunk port when a DTP packet generated by the attacking device is received, and thereby accept traffic destined for any VLAN supported on that trunk. The malicious device can then send packets to, or collect packets from, any VLAN carried on the negotiated trunk.

13 VLAN Hopping – Double Tagging
Data Data VLAN20 VLAN10 Access Port Trunk VLAN 10 VLAN 10 802.1q Native VLAN 10 S1 S2 Data VLAN20 VLAN 10 VLAN 20 Attacker sends a double-tagged broadcast packet into the local access-LAN. Switch 1 forwards this across the trunk, removing the first tag, as it matches the native VLAN. Switch 2 receives the packet, and forwards it into VLAN 20. The second form of VLAN hopping attack is possible even if the trunking feature is turned off on the switch port. The attack involves sending frames with a double 802.1Q tag, as shown in the slide. This attack requires the client to be on a switch other than the attacking switch. Another requirement is that these two switches must be connected in the same VLAN as the attacking switch port or native VLAN of the trunk between the switch and the attacked VLAN. The malicious payload is first given an 802.1q tag with the VLAN ID of the target VLAN. Then a second bogus 802.1q tag is added with the attackers access VALN ID. When S1 receives a double tagged frame, it decides to forward it out of the trunk interface, and as the outer tag is the same as the trunks native VLAN, the outer tag is removed. This exposes the second tag. When S2 receives the frame, it examines any 802.1q tag it finds – in the example, it is VLAN ID 20, so the frame will be forwarded onto VLAN 20.

14 Mitigating VLAN Hopping
Switch Spoofing: Configure all unused ports as access ports so that trunking cannot be negotiated across those links. Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic. Switch Spoofing: Configure the native VLAN with an unused VLAN, which can then be pruned off the trunk: S1(conf)#vlan 800 S1(conf-vlan)# name bogus_native S1(conf)#int fa0/1 S1(conf-if)#switchport trunk encap dot1q S1(conf-if)#switchport trunk native vlan 800 S1(conf-if)#switchport trunk allowed vlan remove 800 S1(conf-if)# Switchport mode trunk Note that although maintenance protocols such as CDP, PAgP and DTP are normally carried over the native VLAN of a trunk, they will not be affected if the native VLAN is pruned from the trunk. They will be sent and received on the native VLAN as a special case, even if the native VLAN ID is not in the list of allowed VLANs. An alternative to pruning the native VLAN is to force it to carry tagged traffic – this would mean that the malicious outer tag would not be removed, and the frame would be delivered to the same VLAN on S2. To force a switch to tag the native VLAN on all 802.1q trunks, use the following commadn: S1 (config)#vlan dot1q tag native

15 VLAN Access Control Lists
Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction. Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port. VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).

16 VACL Configuration DLS1 Host 2 /24 VLAN 20 Deny all traffic from VLAN 20 reaching the VLAN 10 server Server /24 VLAN 10 Host 1 /24 VLAN 10 1.Create ACL to define traffic to block: DLS1(config)#ip access-list extended DENY_SERVER DLS1(conf-ext-nacl)#permit ip host 2. Create VLAN map to block and forward traffic: DLS1(config)# vlan access-map DENY_MAP 10 DLS1(config-access-map)#match ip address DENY_SERVER DLS1(config-access-map)#action drop DLS1(config-access-map)#exit DLS1(config)#vlan access-map DENY_MAP 20 DLS1(config-access-map)#action forward 3. Apply VLAN map to VLAN 10 DLS1(config)#vlan filter DENY_MAP vlan-list 10 VACLs are somewhat different from RACLs or traditional access control lists. Although they, too, are merged into the TCAM, they can permit, deny or redirect packets as they are matched. VACLs are also configured in a route map fashion, with a series of matching conditions and actions to take. Access map statements are evaluated in sequence, according to their sequence number. Each statement can contain one or more matching conditions, followed by an action. A VACL is applied globally to one or more VLAN, and not to a VLAN interface (SVI), as a VACL needs to function within the VLAN, where there is no inbound or outbound direction.


Download ppt "Mitigating Layer 2 Attacks"

Similar presentations


Ads by Google