Scribd Logo
Upload

Welcome to Scribd!

  • Layer 2 Security

    Uploaded by

    Nguyen Pham
    43 views3 pages
    Layer 2 Security

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Layer 2 Security

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views3 pages

    Layer 2 Security

    Uploaded by

    Nguyen Pham
    Layer 2 Security

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Layer 2 Security

    Mt s tnh nng bo mt cn c cc thit b lp 2


    - Port security: gii hn s lng thit b c php kt ni vo port.
    - Private LANs: cung cp bin php an ninh v kh nng phn vng cc port trn switch
    m cc port ny l thnh vin ca cng mt VLAN. Tnh nng ny m bo rng user c
    th giao tip ch vi gateway mc nh ca h m khng phi vi gateway ca ngi
    khc. Private VLAN thng c s dng hiu qu trong cc mi trng DMZ
    (Delimitized Zone).
    - STP root guard/BPDU guard: loi b cc cuc tn cng theo kiu spanning-tree bng
    cch tt tt c cc port c th gy ra s thay i cu trc mng lp 2.
    - SSH support: cung cp mt kt ni t xa an ton n cc thit b lp 2 v lp 3. i vi
    cc kt ni t xa, SSH cung cp mc bo mt cao hn Telnet do cung cp phng
    php m ho mnh.
    - VMPS (VLAN Membership Policy Server): cho php cc a ch MAC nht nh tng
    ng vi cc VLAN nht nh. Tnh nng nycho php ngi s dng di ng trong mng
    campus lun c kh kt ni vi cng mt bin php an ninh mng.
    - Chng thc IEEE 802.1X: bo v mng bng cch chng thc ngi s dng theo mt
    c s d liu trung tm trc khi bt c mt hnh thc kt ni no c php thc hin.
    Ngc li, phn ln ngi s dng bn trong cc mng cc b thng c th truy nhp
    ch bng cch s dng mt kt ni Ethernet m khng cn phi nhn thc g.
    - Wire-rate ACLs: cho php cc danh sch iu khin truy nhp c thc hin m khng
    lm gim hiu nng h thng.
    Sau y l mt s kiu tn cng vy Layer 2 ca h thng
    1.Kiu tn cng lm trn MAC
    Bn CAM (Content Addressable Memory) lu tr cc a ch MAC ca cc port, v cc
    tham s VLAN trong switch. Khng gian nh trong bng CAM l hn ch nn c nguy
    c trn bng CAM.
    Kiu tn cng lm trn MAC s c gng lm trn bng CAM ca cc switch, khi
    switch s c x nh cc hub.
    Mt cuc tn cng kiu ny trng ging nh lu lng t hng ngn my tnh c
    chuyn n mt port, nhng thc t l n ch n t mt my gi mo a ch MAC ca
    hng ngn host gi mo.
    Vd Macof l mt cng c thng dng thc hin cc cuc tn cng kiu ny, c th to
    ra hng chc ngn MAC entry gi n port mi pht. Khi , switch nhn thy lu lng
    v ngh rng cc a ch MAC t cc gi m k tn cng gi i l cc cng hp l v n
    s thm entry vo bng CAM.
    Khi trn bng CAM, switch s broadcast lu lng trn VLAN m ko cn thng qua
    bng CAM na.
    Gii php ngn chn c bn nht l cu hnh port security gii hn s lng PC c
    php kt ni vo switch.

    Tn cng kiu VLAN hopping


    Kiu tn cng ny thng xut pht do c cu hnh sai tn ti trn switch.
    Cc cuc tn cng VLAN hopping da vo trunking do cu hnh bt hp l cc trunk port
    s cho php k tn cng i qua cc thit b lp 3 khi trao i thng tin t mt VLAN ny
    sang mt VLAN khc.
    Mc nh, cc trunk port c th truy nhp ti tt c cc VLAN, d liu truyn qua ng
    trunk c th c ng gi theo chun IEEE 802.1Q hoc ISL(Cisco) c dng trao
    i thng tin gia cc switch.
    Giao thc DTP (Dynamic Trunking Protocol) t ng cu hnh kiu trunking
    ISL/802.1Q.
    Ta c th cu hnh trng thi DTP trn mi trunk port. Cc trng thi bao gm: On, Off,
    Desirable, Auto v Non-Negotiate.
    - On: trng thi ny c s dng khi switch khc khng hiu giao thc DTP;
    - Off: trng thi ny c s dng khi port c cu hnh t trc khng vi mc ch
    tr thnh trunk port.
    - Desirable: trng thi ny c s dng khi mun tr thnh trunk port.
    - Auto: y l trng thi mc nh trn nhiu switch.
    - Non-Negotiate: trng thi ny c s dng khi ta ch nh c th kiu port l ISL hay .
    1Q .
    Kiu tn cng VLAN hopping c bn
    Attacker nh la switch switch ngh l ang mun kt ni trung k. K thut ny i
    hi mt thit lp "trunking-favourable", kiu nh thit lp Auto , th mi c th tn cng
    thnh cng. Khi , attacker tr thnh thnh vin ca rt nhiu VLAN c kt ni
    n switch v c th gi v nhn lu lng trn cc VLAN ny.
    Cch ngn chn kiu tn cng ny l tt kt ni trn tt c cc port ngoi tr nhng port
    cn thit.
    Kiu tn cng VLAN hopping ng gi kp
    Kiu tn cng ny li dng cch m phn cng trong phn ln cc switch hot ng.
    Hin nay, phn ln cc switch ch thc hin ng gi IEEE 802.1Q. iu ny cho php
    attacker c kh nng gn cc ui 802.1Q (gi l .1Q tag) ca hn vo khung. Khung ny
    s vo VLAN vi ui .1Q u ra khng xc nh.
    Mt c im quan trng ca kiu tn cng ny l n c th tin hnh thm ch vi cc
    trunk port c thit lp ch Off.
    Do , ngn chn cc cuc tn cng kiu ny khng d nh vic ngn chn cc cuc tn
    cng kiu VLAN hopping c bn. Bin php tt nht m bo cc VLAN ca cc
    trunk port c phn bit vi cc VLAN ca user port.
    Kt lun

    Ngoi cc kiu tn cng lm trn MAC v VLAN hopping, cn c mt s kiu tn cng


    khc nh spanning-tree, ARP spoofing, tn cng DHCP, u c th xy ra ti lp 2. Cc
    bin php ngn chn c th tm thy ti http://www.blackhat.com.
    Ngoi ra nn ch thc hin mt s iu sau:
    - Hn ch cc hot ng truy nhp qun l switch sao cho nhng khu vc khng tin
    cy trong mng khng th li dng cc giao din v cc giao thc qun l nh SNMP
    (Simple Network Management Protocol).
    - Ngn chn cc kiu tn cng t chi dch v v cc kiu li dng tn cng khc bng
    cch kho cc giao thc spanning-tree v cc giao thc ng khc.
    - S dng phn cng ACL ti nhng v tr c th chn cc lu lng khng mong
    mun.
    - S dng cc VLAN ID dnh ring cho tt c cc trunk port.
    - Tt tt c cc cng khng s dng trong VLAN
    - S dng cc bin php an ninh cho port gp phn bo v h thng trc cc cuc tn
    cng switch.

    You might also like