© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing And Switching 2.0.
/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Virtual LANs.
Implementing Inter-VLAN Routing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 2: Introduction to Switched Networks Routing and Switching.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Securing the Local Area Network
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Configuring VLANs.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
VLANs.ppt CCNA Exploration Semester 3 Chapter 3
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—1-1 Configuring Catalyst Switch Operations Configuring a Catalyst Switch.
Secure LAN Switching Layer 2 security Introduction Port-level controls
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
TCP/SYN Attack – use ACL to allow traffic from TCP connections that were established from the internal network and block packets from an external network.
Switching in an Enterprise Network
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VLANs.
Building Cisco Multilayer Switched Networks (BCMSN)
Chapter 9 Virtual LANs (VLANs). Setup 1 Setup 2.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
Enabling Port Security
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Basic Switch Configurations.
Chapter 6: Securing the Local Area Network
Switching Topic 2 VLANs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Switching in an Enterprise Network Introducing Routing and Switching in the.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
انجمن سیسکو به پارسی آشنایی با برخی حملات در لایه 2 آشنایی با برخی حملات در لایه 2 علیرضا.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
CCNP Routing and Switching Exam Pass4sure.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Understanding Switch Security.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 VLANs.
Instructor Materials Chapter 2: Scaling VLANs
Exploiting Layer 2 By Balwant Rathore.
Chapter Six Securing the Local Area Network
Layer 2 Attacks and Security
Switching and VLANs.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Switching and VLANs.
Campus Network Security
حملات به شبکه های محلی و راه های مقابله
Chapter 2: Basic Switching Concepts and Configuration
Introduction to Networking
Instructor: Mr Malik Zaib
Switch Concepts and Configuration Part II
Chapter 2: Scaling VLANs
2018 Valid Cisco Exam Dumps IT-Dumps
Cisco Real Exam Dumps IT-Dumps
Switching and VLANs.
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
CCNA 3 v3 JEOPARDY Module 8 CCNA3 v3 Module 8 K. Martin.
Chapter 2: Scaling VLANs
Sécurisation au niveau 2 pour certains matériels Cisco
CISCO SWITCHING Hussein Salameh Network Administrator
Presentation transcript:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 2 Agenda  VLAN Attacks and Security VLAN Hopping VTP STP Other  Layer 2 Attacks and Security MAC DHCP ARP Spoofing  Other

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 3 VLAN Attacks and Security

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 4 VLAN Hopping  Dynamic Trunking Protocol Manually configure trunk and access ports, don’t rely on default dynamic port configuration CLI: switchport mode trunk, switchport mode access

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 5 VLAN Hopping  Double Tagging 802.1q frames

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 6 VLAN Hopping Clear unnecessary VLANs on the trunk switchport trunk allowed vlan 10,11,12 switchport trunk allowed vlan remove 10,12 Don’t use trunk native VLAN anywhere else switchport trunk native vlan 999 Set trunks to 802.1q All Tagged mode vlan dot1q tag native

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 7 VTP Security  VTP automatically hands out domain name and VLAN information to VTP server and VTP clients  VTP server not regulated, VTP server with highest revision number is ‘boss’  Use VTP transparent or VTP Server/Client with domain name and passwords

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 8 Port Settings  If a port is connected to a ‘foreign’ device disable layer 2 protocols (CDP, DTP, PAgP, UDLD) switchport host switchport nonegotiate  Enable spanning-tree portfast with BDPU guard and/or root guard, use RPVST+ spanning-tree bpduguard spanning-tree guard root

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 9 Other VLAN Security  Private VLANs  VACLs  Dynamic VLAN assignment  802.1x (Identity based networking)  NAC

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 10 Layer 2 Attacks and Security

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 11

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 12 MAC Attacks  MAC Flooding overflows the switch MAC address table (CAM) forcing the switch to forward frames to all ports on a VLAN (much like a hub)  MACOF tool generates random MAC/IP address combinations in order to overflow the CAM table

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 13 MAC Security  Port Security limits the number of MAC addresses that can be learned on a single port, preventing MAC flooding  Learning MAC static – manually configured, saved in startup config (copy run start) sticky – automatically learned, added to running config, (saved w/copy run start) dynamic – automatically learned, not saved  MAC counters – number of MACs allowed timers – how long to remember MAC(s)  Violation actions protect – drop traffic from unknown MACs when over limit restrict – drop traffic from unknown MACs when over limit and send alarm shutdown – shutdown port with errdisable

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 14 No Port Security Enabled: interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate spanning-tree portfast Before MACOF attack: Layer2-Switch#sh mac address-table count Mac Entries for Vlan 10: Dynamic Address Count : 1 Static Address Count : 1 Total Mac Addresses : 2 Total Mac Address Space Available: 6078

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 15

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 16 After MACOF attack: Layer2-Switch#sh mac address-table count Mac Entries for Vlan 10: Dynamic Address Count : 6079 Static Address Count : 1 Total Mac Addresses : 6080 Total Mac Address Space Available: 0

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 17 Port Security Enabled: interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport port-security maximum 3 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity spanning-tree portfast Before MACOF attack: Layer2-Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Gi1/0/ Restrict Gi1/0/ Restrict Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6272

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 18 During and After MACOF attack: Layer2-Switch#sh mac address-table count Mac Entries for Vlan 10: Dynamic Address Count : 1 Static Address Count : 4 Total Mac Addresses : 5 Total Mac Address Space Available: 6075 Layer2-Switch#sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Gi1/0/ Restrict Gi1/0/ Restrict Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6272

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 19 DHCP Attacks  DHCP Starvation is a DOS attack which prevents valid hosts from getting Dynamic IP configuration  A Rogue DHCP server is used to pass invalid IP configuration information to valid hosts

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 20 DHCP Security  DHCP Exhaustion can be prevented with the same port security measures used to protect against MAC flooding  Rogue DHCP servers can be eliminated with the use of DHCP Snooping where all DHCP request and replies are tracked and rate limited  Valid DHCP server ports must be ‘trusted’

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 21 ARP Attacks  ARP Poisoning is used to alter ARP entries in a switch and on hosts  This allows an attacker to send gratuitous ARP replies redirecting traffic from hosts on the VLAN through his machine

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 22 ARP Security  Dynamic ARP Inspection (DAI) is used to prevent ARP poisoning  DAI uses information in the DHCP snooping table to ensure invalid ARP packets are dropped and ARP packets are rate limited  With both DHCP snooping and DAI static entries can be built for non-DHCP devices

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 23 No DAI Enabled: Before ARP poisoning: PC: C:\>arp -a Interface: x10003 Internet Address Physical Address Type f dynamic b4-98-6f dynamic a6-c0 dynamic Switch: Layer2-Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet f ARPA Vlan10 Internet b ARPA Vlan10 Internet a6c0 ARPA Vlan10

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 24

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 25 During ARP poisoning: PC: C:\>arp -a Interface: x10003 Internet Address Physical Address Type b4-98-6f dynamic b4-98-6f dynamic b4-98-6f dynamic Switch: Layer2-Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet f ARPA Vlan10 Internet b4.986f ARPA Vlan10 Internet b4.986f ARPA Vlan10 Telnet Example from Ettercap: TELNET: :23 -> USER: admin PASS: cisco

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 26 DAI Enabled: ip dhcp snooping vlan 10 ip dhcp snooping database flash:dhcpsnooping.db ip dhcp snooping ip arp inspection vlan 10 ip arp inspection validate src-mac dst-mac ip ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport port-security maximum 3 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip verify source ip dhcp snooping limit rate 25

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 27 During ARP poisoning: PC: C:\>arp -a Interface: x10003 Internet Address Physical Address Type f dynamic b4-98-6f dynamic a6-c0 dynamic Switch: Layer2-Switch#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet f ARPA Vlan10 Internet b ARPA Vlan10 Internet b4.986f ARPA Vlan10 Internet a6c0 ARPA Vlan10 Layer2-Switch#sh log 1d00h: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi1/0/1, vlan 10. ([ b4.986f/ / a6c0/ /00:14:53 UTC Tue Mar ]) 1d00h: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi1/0/1, vlan 10. ([ b4.986f/ /0006.5b / /00:14:53 UTC Tue Mar ]) 1d00h: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Res) on Gi1/0/1, vlan 10. ([ b4.986f/ / a6c0/ /00:14:53 UTC Tue Mar ])

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 28 Spoofing Attacks  MAC Spoofing  IP Spoofing  Spoofing is a method of using the MAC or IP address of another device and then assuming the privilege level of that device

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 29 Spoofing Security  IP Source Guard prevents both MAC and IP address spoofing using info from the DHCP snooping table  Preventing MAC spoofing requires specific option 82 to be assigned by DHCP server (Cisco Registrar, Cisco IOS and Avaya DHCP server can do this)  Preventing IP spoofing has no other requirements and is configured per port

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 30 No IP Source Guard Enabled: interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport port-security maximum 3 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip dhcp snooping limit rate 25

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 31 Debug of IP spoofing attack: Layer2-Switch#debug ip icmp ICMP packet debugging is on Layer2-Switch# From attacker machine ( ) not spoofing: nemesis icmp -S D On Switch: Layer2-Switch# 1d00h: ICMP: echo reply sent, src , dst From attacker machine ( ) spoofing : nemesis icmp -S D On Switch: Layer2-Switch# 1d00h: ICMP: echo reply sent, src , dst

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 32

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 33 IP Source Guard Enabled: interface GigabitEthernet1/0/1 switchport access vlan 10 switchport mode access switchport nonegotiate switchport port-security maximum 3 switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity ip arp inspection limit rate 25 spanning-tree portfast ip verify source ip dhcp snooping limit rate 25

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 34 Debug of IP spoofing attack: Layer2-Switch#debug ip icmp ICMP packet debugging is on Layer2-Switch# From attacker machine ( ) not spoofing: nemesis icmp -S D On Switch: Layer2-Switch# 1d00h: ICMP: echo reply sent, src , dst From attacker machine ( ) spoofing : nemesis icmp -S D On Switch: [nothing]

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 35 Other Notables  HSRP/GLBP Authentication  Routing Protocol Authentication  Storm Control

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.