Ethernet: Layer 2 Security

Eric Vyncke Cisco Systems Distinguished Engineer Evyncke@cisco.com
Vyncke ethernet security
© 2003, Cisco Systems, Inc. All rights reserved.

1

The Domino Effect
• Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • Security is only as strong as your weakest link • When it comes to networking, layer 2 can be a VERY weak link
Application Application Stream Application Presentation Session Protocols/Ports IP Addresses Initial Compromise MAC Addresses Physical Links Transport Network Data Link Physical

Session Transport Network Data Link Physical

Vyncke ethernet layer 2 security

Compromised

Presentation

© 2003, Cisco Systems, Inc. All rights reserved.

2

MAC Attacks

Vyncke ethernet security

© 2003, Cisco Systems, Inc. All rights reserved.

3

CAM Overflow 1/2 MAC X A Y B C port 3 1 3 2 3 MAC B Port 2 X- Port 1 MAC A X is on port 3 Y is on port 3 Vyncke ethernet layer 2 security © 2003. Inc. Port 3 >? Y->? MAC C 4 . All rights reserved. Cisco Systems.

Cisco Systems. 5 . Inc.CAM Overflow 2/2 MAC X Y C A->B port 3 3 3 A B -> MAC B Port 1 MAC A B unknown… flood the frame Port 3 Port 2 I see traffic to B ! -> A B MAC C Vyncke ethernet layer 2 security © 2003. All rights reserved.

or to learn a certain number of MAC addresses per port Upon detection of an invalid MAC block only the offending MAC or just shut down the port • Smart CAM table Never overwrite existing entries Only time-out inactive entries Active hosts will never be overwritten • Speak first Deviation from learning bridge: never flood Requires a hosts to send traffic first before receiving Vyncke ethernet layer 2 security © 2003. Cisco Systems.MAC Flooding Attack Mitigation • Port Security Allows you to specify MAC addresses for each port. 6 . All rights reserved. Inc.

All rights reserved. 7 . Cisco Systems.ARP Attacks Vyncke ethernet security © 2003. Inc.

A • C is sending faked gratuitous ARP reply to A • C sees traffic from IP a to IP b Vyncke ethernet layer 2 security © 2003.b IP c MAC C 8 .> .a >B -> b . IP b MAC B C>A . Inc.b C -> .a ->b RP . Cisco Systems. IP B b a. A=C >C . IP .A A=C >C .a -> b RP . IP . All rights reserved.ARP Spoofing C>A IP a MAC A . IP C.

All rights reserved.Mitigating ARP Spoofing • ARP spoofing works only within one VLAN • static ARP table on critical stations (but dynamic ARP override static ARP on most hosts!) • ARP ACL: checking ARP packets within a VLAN ACL Either by static definition Or by snooping DHCP for dynamic leases • No direct communication among a VLAN: private VLAN Spoofed ARP packet cannot reach other hosts Vyncke ethernet layer 2 security © 2003. Cisco Systems. 9 . Inc.

ARP Spoof Mitigation: Private VLANs Promiscuous Port Primary VLAN Promiscuous Port Isolated VLAN x x Isolated Ports Vyncke ethernet layer 2 security © 2003. Cisco Systems. All rights reserved. 10 . Inc.

VLAN “Hopping” Attacks Vyncke ethernet security © 2003. Cisco Systems. 11 . All rights reserved. Inc.

Cisco Systems. Inc. 12 . All rights reserved.Trunk Port Refresher Trunk Port • Trunk ports have access to all VLANs by default • Used to route traffic for multiple VLANs across the same physical link (generally used between switches) Vyncke ethernet layer 2 security © 2003.

htm Vyncke ethernet layer 2 security © 2003. All rights reserved. Inc. 13 . Cisco Systems.org/newlook/resources/IDFAQ/vlan.Basic VLAN Hopping Attack Trunk Port Trunk Port • A station can spoof as a switch with 802.sans.1Q signaling • The station is then member of all VLANs • Requires a trunking favorable setting on the port (the SANS paper is three years old) http://www.

Double Encapsulated 802.8 02 . Frame Fram e Note: Only Works if Trunk Has the Same Native VLAN as the Attacker Victim • Send double encapsulated 802. 14 . Inc.1Q frames • Switch performs only one level of decapsulation • Unidirectional traffic only • Works even if trunk ports are set to off Vyncke ethernet layer 2 security © 2003. All rights reserved. Cisco Systems.1q. 802. 1q .1Q VLAN Hopping Attack Strip off First. and Send Back out 1q Attacker 80 2.

Cisco Systems. All rights reserved.Mitigation • Use recent switches • Disable auto-trunking • Never put host in the trunk native VLAN • Put unused ports in an unused VLAN Vyncke ethernet layer 2 security © 2003. 15 . Inc.

16 .Spanning Tree Attacks Vyncke ethernet security © 2003. Cisco Systems. Inc. All rights reserved.

Inc. Cisco Systems. 17 .Spanning Tree Basics A F F F Root F A Switch Is Elected as Root A ‘Tree-Like’ Loop-Free Topology Is Established F B X F F B Loop-Free Connectivity Vyncke ethernet layer 2 security © 2003. All rights reserved.

Cisco Systems.Spanning Tree Attack Example 1/2 • Send BPDU messages from attacker to force spanning tree recalculations Impact likely to be DoS Access Switches Root F F F F • Send BPDU messages to become root bridge P ST F B Attacker Vyncke ethernet layer 2 security © 2003. ST X P 18 . Inc. All rights reserved.

19 . etc. All rights reserved. all possible Any attack is very sensitive to the original topology. trunking.Spanning Tree Attack Example 2/2 Access Switches • Send BPDU messages from attacker to force spanning tree recalculations Root Impact likely to be DoS F F • Send BPDU messages to become root bridge The hacker then sees frames he shouldn’t MITM. Inc. Cisco Systems. PVST. DoS. Requires attacker to be dual homed to two different switches X F B F F F B Root Attacker Vyncke ethernet layer 2 security © 2003. etc.

All rights reserved. 20 . Cisco Systems. Inc.STP Attack Mitigation • Disable STP (It is not needed in loop free topologies) • BPDU Guard Disables ports upon detection of a BPDU message on the port • Root Guard Disables ports who would become the root bridge due to their BPDU advertisement Vyncke ethernet layer 2 security © 2003.

21 . Cisco Systems. All rights reserved. Inc.Other Attacks Vyncke ethernet security © 2003.

All rights reserved. 22 .DHCP Rogue Server Attack • Simply the installation of an unknown DHCP Server in the local subnet • Other attack: exhaustion of DHCP pools • RFC 3118 “Authentication for DHCP Messages” will help. Cisco Systems. but has yet to be implemented • Mitigation: Consider using multiple DHCP servers for the different security zones of your network Use intra VLAN ACL to block DHCP traffic from unknown server Vyncke ethernet layer 2 security © 2003. Inc.

23 . All rights reserved. Inc.ProActive Defense Vyncke ethernet security © 2003. Cisco Systems.

All rights reserved. 24 .Wire-Speed Access Control Lists • Many current switches offer wire-speed ACLs to control traffic flows (with or without a router port) • Allows implementation of edge filtering that might otherwise not be deployed due to performance concerns • VLAN ACLs and Router ACLs are typically the two implementation methods Vyncke ethernet layer 2 security © 2003. Cisco Systems. Inc.

25 . Inc. All rights reserved.Network Intrusion Detection System • Network IDS are now able to Understand trunking protocols Fast enough to handle 1 Gbps Including management of alerts ! Understand layer 2 attacks Vyncke ethernet layer 2 security © 2003. Cisco Systems.

3 or 802. Cisco Systems. All rights reserved.802.1x • 802.11 Vyncke ethernet layer 2 security © 2003.1x is an IEEE Standard for Port Based Network Access Control EAP based Improved user authentication: username and password Can work on plain 802. Inc. 26 .

1X Terminology Semi-Public Network / Enterprise Edge Enterprise Network I US AD R R A D I U S ted ry p Enc L) APO ) (E PO W AN rL (EA O ve less ire EA P er W Ov EA P Authentication Server Authenticator (e. Access Point) Supplicant Vyncke ethernet layer 2 security © 2003. All rights reserved. Inc. Switch.g.IEEE 802. Cisco Systems. 27 .

• The authenticator (switch) becomes the middleman for relaying EAP received in 802. 28 .1x Header EAP Payload Vyncke ethernet layer 2 security © 2003. Cisco Systems. • Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) Preferred Method Of Authentication 802.1x packets to an authentication server by using RADIUS to carry the EAP information. Inc. All rights reserved.What Does it Do? • Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.

Cisco Systems. Inc. with Applicable VLAN Login Request Credential s Login Good! Apply Policies Check with Policy DB This Is John Doe! He Goes into VLAN 5 Vyncke ethernet layer 2 security © 2003.Example Solution “A”—Access Control and User Policy Enforcement Switch Applies Policies and Enables Port • Set port VLAN to 5 User Has Access to Network. 29 . All rights reserved.

30 .DMZ •Set port QoS Tagging to 7 •Set QoS rate limit for 2Mbps Switch applies policies and enables port. Retries expired.Example Solution “B” – Access For Guest Users •Set port VLAN to 100 . Put them in the quarantine zone! Vyncke ethernet layer 2 security © 2003. Login Request Login Request Login Request Authentication timeout. User has access to DMZ or “Quarantine” network.1x capable. Client is not 802. Cisco Systems. Inc. All rights reserved.

31 . Inc. All rights reserved. Cisco Systems.Summary Vyncke ethernet security © 2003.

Inc. etc. Cisco Systems.) • Always use a dedicated VLAN ID for all trunk ports • Be paranoid: do not use VLAN 1 for anything • Set all user ports to non trunking • Deploy port-security where possible for user ports • Selectively use SNMP and treat community strings like root passwords • Have a plan for the ARP security issues in your network Vyncke ethernet layer 2 security © 2003. All rights reserved. OOB. permit lists.Layer 2 Security Best Practices 1/2 • Manage switches in as secure a manner as possible (SSH. 32 .

1X for middle term All of the Preceding Features Are Dependant on Your Own Security Policy Vyncke ethernet layer 2 security © 2003. Root Guard) • Use private VLANs where appropriate to further divide L2 networks • Disable all unused ports and put them in an unused VLAN • Consider 802. All rights reserved. Inc. Cisco Systems.Layer 2 Security Best Practices 2/2 • Enable STP attack mitigation (BPDU Guard. 33 .

Inc. with good configuration. they can even enhance your network security Vyncke ethernet layer 2 security © 2003. switches are designed with security in mind • In most cases. Cisco Systems. 34 .Final Word • Switches were not designed for security • Now. All rights reserved.