1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 10 – Configure Filtering on a Switch

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 10.1 Introduction to Layer 2 Attacks 10.2 MAC Address, ARP, and DHCP Vulnerabilities 10.3 VLAN Vulnerabilities 10.4 Spanning-Tree Protocol Vulnerabilities

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 10 – Configure Filtering on a Switch 10.1 Introduction to Layer 2 Attacks

5 © 2005 Cisco Systems, Inc. All rights reserved. Types of Attacks CAM table overflow Media Access Control (MAC) address spoofing DHCP starvation

6 © 2005 Cisco Systems, Inc. All rights reserved. Module 10 – Configure Filtering on a Switch 10.2 MAC Address, ARP, and DHCP Vulnerabilities

7 © 2005 Cisco Systems, Inc. All rights reserved. CAM Table Overflow Attack AB C D VLAN 10 ABC Attacker sees traffic to servers B and D 3/25 3/25 MAC E 3/25 MAC F 3/25 MAC G ABC B D

8 © 2005 Cisco Systems, Inc. All rights reserved. Mitigating the CAM Table Overflow Attack switch(config-if)# switchport port-security Enable port security on interface. switch(config-if)# switchport port-security [mac_addr] Enable port security and set specific MAC address (H.H.H).

9 © 2005 Cisco Systems, Inc. All rights reserved. Mitigating the CAM Table Overflow Attack switch(config-if)# switchport port-security maximum (1-132) Set maximum number of MAC addresses. switch(config-if)# switchport port-security violation shutdown [protect | restrict | shutdown] Set action on violation.

10 © 2005 Cisco Systems, Inc. All rights reserved. MAC Spoofing – Man in the Middle Attacks A B C ABC SWITCH PORT 123 MAC A A B C ABC SWITCH PORT 123 Attacker

11 © 2005 Cisco Systems, Inc. All rights reserved. Mitigating MAC Spoofing Attacks – Cisco IOS switch(config-if)# port security max-mac-count {1-132} Enable port security and set maximum MAC address. switch(config-if)# port security action {shutdown|trap} Specify action to take when violation occurs. switch(config-if)# arp timeout seconds Specify ARP timeout.

12 © 2005 Cisco Systems, Inc. All rights reserved. ARP Spoofing /24.2 Attacker.1 ARP for.1 I’m.1!

13 © 2005 Cisco Systems, Inc. All rights reserved. Mitigating ARP Spoofing with DHCP Snooping ip dhcp snooping switch(config)# Enable DHCP Snooping. ip dhcp snooping vlan vlan_id {,vlan_id} switch(config)# Enable DHCP Snooping for specific VLANs. ip dhcp snooping trust switch(config-if)# Configure an interface as trusted for DHCP snooping purposes.

14 © 2005 Cisco Systems, Inc. All rights reserved. Mitigating ARP Spoofing with DHCP Snooping ip dhcp snooping limit rate rate switch(config-if)# Set rate limit for DHCP Snooping.

15 © 2005 Cisco Systems, Inc. All rights reserved. DHCP Starvation DHCP Server DHCP Requests with spoofed MAC addresses Attacker attempting to set up rogue DHCP Server

16 © 2005 Cisco Systems, Inc. All rights reserved. Commands to Mitigate DHCP Starvation Attacks ip dhcp snooping switch(config)# Enable DHCP Snooping. ip dhcp snooping vlan vlan_id {,vlan_id} switch(config)# Enable DHCP Snooping for specific VLANs. ip dhcp snooping trust switch(config-if)# Set interface to trusted state.

17 © 2005 Cisco Systems, Inc. All rights reserved. Commands to Mitigate DHCP Starvation Attacks (Cont.) ip dhcp snooping limit rate rate switch(config-if)# Set rate limit for DHCP Snooping.

18 © 2005 Cisco Systems, Inc. All rights reserved. Module 10 – Configure Filtering on a Switch 10.3 VLAN Vulnerabilities

19 © 2005 Cisco Systems, Inc. All rights reserved. Double 802.1q Encapsulation VLAN Hopping Attack Send 802.1q double encapsulated frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off VLAN 1,VLAN 2 The first 802.1q header is removed Note: Only works if the trunk is configured with the native VLAN of the network attacker

20 © 2005 Cisco Systems, Inc. All rights reserved. Double 802.1q Encapsulation VLAN Hopping Attack Send 802.1q double encapsulated frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off The frame is forwarded with the second 802.1q header VLAN 1 Note: Only works if the trunk is configured with the native VLAN of the network attacker

21 © 2005 Cisco Systems, Inc. All rights reserved. Double 802.1q Encapsulation VLAN Hopping Attack Send 802.1q double encapsulated frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off The frame reaches a host on a VLAN that the attacker does not belong to VLAN 1 Note: Only works if the trunk is configured with the native VLAN of the network attacker

22 © 2005 Cisco Systems, Inc. All rights reserved. Security Best Practices for VLANs and Trunking Always use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLAN Be paranoid – Do not use VLAN 1 for anything Disable auto-trunking on user facing ports (DTP off) Explicitly configure trunking on infrastructure ports Use all tagged mode for the native VLAN on trunks

23 © 2005 Cisco Systems, Inc. All rights reserved. Module 10 – Configure Filtering on a Switch 10.4 Spanning-Tree Vulnerabilities

24 © 2005 Cisco Systems, Inc. All rights reserved. Spanning Tree Attack Example The attacker sends BPDU messages to become the root bridge Access Switches Root X BPDU BPDU Blocked

25 © 2005 Cisco Systems, Inc. All rights reserved. Spanning Tree Attack Example The attacker sends BPDU messages to become the root bridge The attacker then sees frames he shouldn’t Man in the middle and DoS attacks become possible This attack requires that the attacker is connected to two different switches. This can be done with either multiple NICs or a with a hub. Access Switches Root X Blocked

26 © 2005, Cisco Systems, Inc. All rights reserved.