Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Layer 2 Attacks Securing Layer 2 Access.

Similar presentations


Presentation on theme: "Mitigating Layer 2 Attacks Securing Layer 2 Access."— Presentation transcript:

1 Mitigating Layer 2 Attacks Securing Layer 2 Access

2 Layer 2 Security Issues Campus access devices and Layer 2 communication are left largely unconsidered in most security discussions, and there is lack of security at this layer. Many security features are available for switches and routers, but they must be enabled to be effective. However, as with access control lists (ACL) for upper- layer security, a policy must be established and appropriate features configured to protect against potential malicious acts while maintaining daily network operations.

3 Security Infrastructure Services Access Distribution Core Server Farm Use switchport security to control access to the network. Use ACLs to provide security and filtering. Do not perform security operations – increases performance Use private VLANs, IPS, logging and ACLs

4 Layer 2 Malicious Attacks Layer 2 malicious attacks are typically launched by a device connected to the campus network. This can be a physical rogue device placed on the network or an external intrusion that takes control of and launches attacks from a trusted device. In either case, the network sees all traffic as originating from a legitimate connected device. The following lists the types of attacks launched against switches and Layer 2: 1. MAC layer attacks (e.g. MAC address flooding). 2. VLAN attacks (e.g. VLAN hopping). 3. Spoof attacks (e.g. DHCP, MAC & ARP spoofing). 4. Switch device attacks (e.g. CDP manipulation, Telnet attacks).

5 MAC Flood Attack To mitigate against MAC flooding, port security is configured to define the number of MAC addresses that are allowed on a given port. Port security can also specify which MAC address is allowed on a given port.

6 Switch Configuration – Port Security To limit the number of addresses that can be learned on an interface switches provide a feature called port security. The number of MAC addresses per port can be limited to 1. Secure addresses can be assigned statically or dynamically learned by the switch. S1(config)#interface fa0/1 S1(config-if)# switchport port-security ? aging Port-security aging commands mac-addresssecure mac address maximum max secure addrs violation security violation mode

7 Static secure MAC addresses: MAC addresses are manually configured by using the switchport port- security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration. Switch Configuration – Port Security

8 Port Security: Violation By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: Protect: Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent. Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent. Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off. Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}

9 Switch Configuration – Port Security DLS1(config)# interface FastEthernet 0/1 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address DLS1(config-if)# switchport port-security maximum 1 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation restrict DLS1(config-if)# switchport block unicast DLS1(config)# interface FastEthernet 0/2 DLS1(config-if)# switchport DLS1(config-if)# switchport mode access DLS1(config-if)# switchport port-security DLS1(config-if)# switchport port-security mac-address sticky DLS1(config-if)# switchport port-security maximum 2 DLS1(config-if)# switchport port-security aging static DLS1(config-if)# switchport port-security violation shutdown Fa0/1Fa0/2 DLS1PC1Server

10 switchport mode access Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. switchport port-security Enables port security on the interface switchport port-security maximum 6 Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. switchport port-security aging time 5 Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. switchport port-security mac-address b Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. switchport port-security mac-address sticky Enable dynamic learning of MAC address on the interface. switchport port-security violation shutdown / Restrict / Protect Set the violation mode, the action to be taken when a security violation is detected.

11 Verify Port Security DLS1# show running-config fastethernet 0/2 interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security maximum 2 switchport port-security switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security mac-address sticky 001b.d513.2ad2 DLS1# show port-security address Secure Mac Address Table Vlan Mac Address Type Ports Remaining Age (mins) b.d513.2ad2 SecureSticky Fa0/2 -

12 VLAN Hopping – Switch Spoofing 802.1q Native VLAN 1 VLAN 20 VLAN 10 VLAN q Native VLAN 1 VLANS 10 & 20 In a switch spoofing attack, the network attacker configures a system to spoof itself as a switch by performing Inter-Switch Link (ISL) or 802.1Q trunking, along with DTP negotiations, to establish a trunk connection to the switch. By default, a trunk connection provides an attacker with access to all VLANs in the network. S1S2 Trunk Attacker

13 VLAN Hopping – Double Tagging Data VLAN20 VLAN q Native VLAN 10 VLAN 10 Data VLAN20 Data VLAN 10 VLAN 20 1.Attacker sends a double-tagged broadcast packet into the local access-LAN. 2.Switch 1 forwards this across the trunk, removing the first tag, as it matches the native VLAN. 3.Switch 2 receives the packet, and forwards it into VLAN 20. S1S2 Access Port Trunk

14 Mitigating VLAN Hopping Switch Spoofing: Configure all unused ports as access ports so that trunking cannot be negotiated across those links. Place all unused ports in the shutdown state and associate with a VLAN designated only for unused ports, carrying no user data traffic. Switch Spoofing: Configure the native VLAN with an unused VLAN, which can then be pruned off the trunk: S1(conf)#vlan 800 S1(conf-vlan)# name bogus_native S1(conf)#int fa0/1 S1(conf-if)#switchport trunk encap dot1q S1(conf-if)#switchport trunk native vlan 800 S1(conf-if)#switchport trunk allowed vlan remove 800 S1(conf-if)# Switchport mode trunk

15 VLAN Access Control Lists Router access control list (RACL): Applied to Layer 3 interfaces such as SVI or L3 routed ports. It controls the access of routed traffic between VLANs. RACLs are applied on interfaces for specific directions (inbound or outbound). You can apply one access list in each direction. Port access control list (PACL): Applied on a Layer 2 switch port, trunk port, or EtherChannel port. PACLs perform access control on traffic entering a Layer 2 interface. With PACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. When you apply a PACL to a trunk port, it filters traffic on all VLANs present on the trunk port. VLAN access control list (VACL): Supported in software on Cisco multilayer switches. Filtering based on Layer 2 or Layer 3 parameters within a VLAN. Unlike RACLs, VACLs are not defined by direction (input or output).

16 VACL Configuration Server /24 VLAN 10 Host /24 VLAN 10 Host /24 VLAN 20 Deny all traffic from VLAN 20 reaching the VLAN 10 server DLS1 1.Create ACL to define traffic to block: DLS1(config)#ip access-list extended DENY_SERVER DLS1(conf-ext-nacl)#permit ip host Create VLAN map to block and forward traffic: DLS1(config)# vlan access-map DENY_MAP 10 DLS1(config-access-map)#match ip address DENY_SERVER DLS1(config-access-map)#action drop DLS1(config-access-map)#exit DLS1(config)#vlan access-map DENY_MAP 20 DLS1(config-access-map)#action forward 3. Apply VLAN map to VLAN 10 DLS1(config)#vlan filter DENY_MAP vlan-list 10


Download ppt "Mitigating Layer 2 Attacks Securing Layer 2 Access."

Similar presentations


Ads by Google