Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure LAN Switching Layer 2 security Introduction Port-level controls

Published byLauren Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure LAN Switching Layer 2 security Introduction Port-level controls"— Presentation transcript:

1 Secure LAN Switching Layer 2 security Introduction Port-level controls
Storm control Protected ports Private VLAN Port blocking Port security ACLs on switches STP features for layer-2 security DHCP features against snooping IP source guard Dynamic ARP Inspection (DAI) T. A. Yang Network Security

2 Switches and Layer 2 security
Security of lower layer devices is important, because some threats are initiated on Layer 2 rather than Layer 3 and above. Example: A firewall or a router cannot block a compromised server on a DMZ LAN from connecting to another server on the same segment.  because the connection occurs at Layer 2 Focus of the chapter: Cisco Catalyst series switches (principles applicable to other types of switches) T. A. Yang Network Security

3 Source: http://www. cisco
T. A. Yang Network Security

4 Switch and Layer 2 security
Sample L2 attacks and their mitigations See (local copy) T. A. Yang Network Security

5 Port security A mechanism to restrict the MAC addresses that can connect via a particular port of the switch Allows a range of MAC addresses to be specified for a particular port Only frames with a right MAC address can go through the switch. Useful for preventing MAC address flooding attacks CAM overflow: Content-Addressable Memory (aka. associated memory) CAM table stores information such as MAC addresses available on physical ports, with their associated VLAN params. CAM table has fixed size. When a CAM table is full, the switch is unable to create a new entry.  It forwards a received frame to all ports, resulting in increased traffic and allowing the attacker to examine all frames. So, CAM overflow attacks may lead to subsequent DoS and traffic analysis attacks (next slide) T. A. Yang Network Security

6 MAC Address Flooding T. A. Yang Network Security

7 MAC Address Flooding (cont.)
4/21/2017 MAC Address Flooding (cont.) Counter-measures: Hard-coding the MAC addresses that are allowed to connect on a port, or Limiting the number of hosts that are allowed to connect on a port Example 5-1: approach 1 + timed suspension Console> (enable) set port security 2/1 enable Console> (enable) set port security 2/1 enable b Console> (enable) set port security 2/1 shutdown 600 Example 5-2: approach 2 Console> (enable) set port security 3/2 maximum 20 set port security To configure port security and unicast flood on a port or range of ports, use the set port security command. set port security mod/port... [enable | disable] [mac_addr] [age {age_time}] [maximum {num_ of_mac}] [shutdown {shutdown_time}] [unicast-flood {enable | disable}] [violation {shutdown | restrict}] T. A. Yang Network Security

8 4/21/2017 IP permit lists Purpose: To restrict higher layer traffic, such asTelnet, SSH, HTTP, and SNMP, from entering a switch Allows IP addresses to be specified that are allowed to send these kinds of traffic through the switch Command: set ip permit enable Example 5-3 set ip permit enable [telnet | snmp | ssh] Enable the IP permit list. T. A. Yang Network Security

9 Protocol Filtering Purpose: To limit broadcast/multicasts for certain protocols With Cisco Catalyst 5000 series of switches, packets are classified into protocol groups: IP 2. IPX AppleTalk, DECnet, Banyan VINES 4. Other protocols A port is configured to belong to one or more of these groups. For each of the groups a port belong to, the port is in one of the following states (for that group): On  Receive all broadcast/multicast traffic for that protocol Off  no broadcast/multicast traffic for that protocol Auto  auto-configured port The port becomes a member of the protocol group only after the device connected to the port transmits packets of that specific protocol group. Once the attached device stops transmitting packets for that protocol for 60 minutes, the port is removed form that protocol group. Example 5-4 T. A. Yang Network Security

10 Controlling LAN floods
Attackers may cause frame flood (e.g., CAM flooding), or send broadcast/multicast messages to flood the LAN. Counter-measures: Protocol filtering Setting up threshold limits for broadcast/multicast traffic on ports Catalyst switches allow thresholds for broadcast traffic to be set up on a per-port basis. The thresholds can depend on either the bandwidth consumed by broadcasts or the number of broadcast packets being sent across a port. ‘Bandwidth consumed’ is a preferred measure. (Why?) Example: Console> (enable) set port broadcast 2/1-6 75% Other broadcast/multicast traffic is dropped when the bandwidth consumed by broadcast/multicast traffic reaches 75%. T. A. Yang Network Security

11 VLAN Virtual LAN Source: Group of devices on one or more LANs that are configured (using management software) so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. based on logical instead of physical connections extremely flexible T. A. Yang Network Security

12 Sample VLAN configurations
Source: T. A. Yang Network Security

13 Multiple-VLAN Network
T. A. Yang Network Security

14 VLAN & Trunking A trunk is an interface on a switch that can carry packets for any VLAN. When packets get sent between switches, each packet gets tagged, based on the IEEE standard for passing VLAN packets between bridges, 802.1Q. The receiving switch removes the tag and forwards the packet to the correct port or VLAN in the case of a broadcast packet. Be aware! “VLAN Insecurity” (by Rik Farrow): “VLANs make it possible to share a switch among many LANs, by filtering and limiting broadcast traffic.” “But this form of isolation relies on software and configuration, not the physical isolation that security people like myself really like to see.” T. A. Yang Network Security

15 Private VLANs An enhancement to some Cisco switches
Traditional VLAN: no layer 2 segregation of devices of the same VLAN  So when one of the devices in a VLAN is compromised, other devices on the same VLAN may be compromised as well. Purpose of private VLANs: To allow restrictions to be placed on the Layer 2 traffic of a VLAN. T. A. Yang Network Security

16 Private VLANs Provides layer 2 isolation to quarantine hosts from one another among ports within the same PVLAN Three types of private VLAN ports: Promiscuous ports: communicate with all other private VLAN ports Community ports: communicate among themselves and with their promiscuous ports Isolated ports: have complete Layer 2 isolation from other ports within the same private VLAN (e.g., Ethernet ports in hotel rooms) T. A. Yang Network Security

17 T. A. Yang Network Security

18 Other security features in VLAN
Port blocking When a packet’s MAC address can not be found in a switch’s MAC address table, the switch will broadcast (flood) unknown unicast and multicast traffic to all the ports in the same VLAN This flooding can be blocked using port blocking feature Port filtering based on MAC address A set of MAC addresses are allowed to access a port. Packets with source MAC addresses outside the set are dropped. T. A. Yang Network Security

19 ACLs on Switches, 1/4 Router ACL MAC ACL
Switched virtual interfaces (SVI) are virtual layer 3 interfaces. Both standard and extended ACLs are supported on SVI. MAC ACL Aka Ethernet ACL Filters non-IP traffic using MAC address filtering Supports only inbound traffic mac access-list extended T. A. Yang Network Security

20 ACLs on Switches, 2/4 Port ACL VLAN ACL (VACL)
Supported on physical layer 2 interfaces Supports only inbound traffic filtering Supports standard, extended, and MAC-extended ACLs Can filter both IP and non-IP traffic VLAN ACL (VACL) Aka VLAN map Filters all types of traffic bridged within a VLAN or routed into or out of the VLAN Examples next page T. A. Yang Network Security

21 ACLs on Switches, 3/4 VLAN ACL (VACL)
Filters all types of traffic bridged within a VLAN T. A. Yang Network Security

22 ACLs on Switches, 4/4 VLAN ACL (VACL)
Filters all types of traffic routed into or out of the VLAN Order of processing: VACL for input VLAN, input IOS ACL, Outbound IOS ACL, VACL for output VLAN T. A. Yang Network Security

23 L2 security using STP features
Spanning Tree Protocol (STP) Source: prevents loops from being formed when switches or bridges are interconnected via multiple paths. implements the IEEE 802.1D algorithm by exchanging BPDU messages with other switches to detect loops, and then removes the loop by shutting down selected bridge interfaces. guarantees that there is one and only one active path between two network devices. T. A. Yang Network Security

24 Illustration of the STP
Root ports vs Designated ports T. A. Yang Network Security

25 The STP PortFast feature
Source: STP configures meshed topology into a loop-free, tree-like topology. When the link on a bridge port goes up, STP calculation occurs on that port. The result of the calculation is the transition of the port into forwarding or blocking state. The result depends on the position of the port in the network and the STP parameters. This calculation and transition period usually takes about 30 to 50 seconds. At that time, no user data pass via the port. Some user applications can time out during the period. In order to allow immediate transition of the port into forwarding state, enable the STP PortFast feature. PortFast immediately transitions the port into STP forwarding mode upon linkup. The port still participates in STP. So if the port is to be a part of the loop, the port eventually transitions into STP blocking mode. T. A. Yang Network Security

26 The STP PortFast feature: vulnerability
Source: As long as the port participates in STP, some device can assume the root bridge function and affect active STP topology. To assume the root bridge function, the device would be attached to the port and would run STP with a lower bridge priority than that of the current root bridge. This is a simple form of a denial of service (DoS) attack on the network. The temporary introduction and subsequent removal of STP devices with low (0) bridge priority cause a permanent STP recalculation. T. A. Yang Network Security

27 The STP PortFast feature: vulnerability & mitigation
Source: The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. T. A. Yang Network Security

28 L2 security using STP features
BPDU Guard Bridge protocol data units (BPDU) are messages exchanged btwn bridges using STP to detect loops in a network. BPDU Guard feature keeps the active topology predictable and enhances switch network reliability by enforcing the STP domain borders. T. A. Yang Network Security

29 L2 security using STP features
Root Guard A feature preventing a bridge in a particular network from becoming the root bridge of that network e.g., enable Root Guard on service provider (SP) side switch interfaces that connect to a customer-side switch  If a switch outside the SP network becomes the root switch, the interface is put in a blocked state, and STP will select a new root switch. spanning tree guard root T. A. Yang Network Security

30 L2 security using STP features
EtherChannel Guard “Cisco EtherChannel technology is a trunking technology based on grouping several full-duplex Ethernet links to provide fault-tolerant, high-speed links between switches, routers, and servers.” (source: EtherChannel parameters must be the same on both sides (e.g., btwn a switch and a connected device) When the switch detects an EtherChannel misconfiguration, the EtherChannel Guard places the switch interface in the error-disabled state T. A. Yang Network Security

31 L2 security using STP features
Loop Guard prevents alternative or root ports from becoming designated ports, thus avoiding loops An STP loop is created when an STP blocking port in a redundant topology erroneously transitions to the forwarding state. This usually happens because one of the ports of a physically redundant topology (not necessarily the STP blocking port) no longer receives STP BPDUs. In its operation, STP relies on continuous reception or transmission of BPDUs based on the port role. The designated port transmits BPDUs, and the non-designated port receives BPDUs. When one of the ports in a physically redundant topology no longer receives BPDUs, the STP conceives that the topology is loop free. Eventually, the blocking port from the alternate or backup port becomes designated and moves to a forwarding state. This situation creates a loop. T. A. Yang Network Security

32 DHCP Snooping feature Protection from rogue DHCP servers
Ports on a switch are divided into trusted and untrusted ports. DHCP clients and other hosts are connected to the untrusted ports. DHCP servers are connected to trusted ports. The switch maintains a DHCP binding database (aka DHCP snooping table). Incoming packets received on untrusted ports are dropped if the source MAC address does not match the MAC in the binding table. T. A. Yang Network Security

33 IP Source Guard Protection from IP spoofing attacks when a host tries to spoof and use the IP address of another host Any IP traffic coming into the interface with a source IP address other than that assigned will be filtered out. T. A. Yang Network Security

34 Dynamic ARP Inspection (DAI)
ARP (address resolution protocol) resolves a 32-bit IP address into a 48-bit Ethernet address, using an ARP Table. The ARP caches can be “poisoned” (an invalid ARP entry is created in the table). Result: packet redirection to the attacker DAI locks down the IP-MAC mapping for hosts so that the attacking ARP is denied and logged. T. A. Yang Network Security

35 Setting up a secure Layer 2 switching environment
Overview of Counter-measures: Use VLANs to create logical groupings of devices  Each of the groups may have different security levels. Disable unused ports, and place them in a VLAN with no Layer 3 access. Besides VLANs, other mechanisms must be used (e.g., port security) Separate devices should be used for zones at different security levels. Disable Layer 3 connection (e.g., Telnet, HTTP) to the switch. Disable trunking on ports that do not require it (and place the trunk port in its own VLAN). T. A. Yang Network Security

36 Need for other counter-measures
4/21/2017 Need for other counter-measures How about attacks launched from hosts sitting on a LAN? In general, those hosts are considered as trusted entities. So it is difficult to stop a host when it becomes an attacker. Solution: Make sure access to the LAN is secured.  MAC address filtering (e.g., Cisco’s port security, DHCP) T. A. Yang Network Security

Download ppt "Secure LAN Switching Layer 2 security Introduction Port-level controls"

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Communication Networks Recitation 3 Bridges & Spanning trees.

Communication Networks Recitation 3 Bridges & Spanning trees.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Part 2: Preventing Loops in the Network

Part 2: Preventing Loops in the Network
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.

Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,

(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.

LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: LAN Redundancy Scaling Networks.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology

Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.

Similar presentations

Ads by Google