Scribd Logo
Upload

Welcome to Scribd!

  • SECS01L02 - Examining Layer 2 Attacks

    Uploaded by

    Khoa Huynh Dang
    1 views38 pages

    Original Title

    SECS01L02_Examining Layer 2 Attacks

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views38 pages

    SECS01L02 - Examining Layer 2 Attacks

    Uploaded by

    Khoa Huynh Dang

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    Configuring and

    Implementing
    Switched Data
    Plane Security
    Solutions

    Examining Layer 2 Attacks

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-1


    Types of Attacks

    1. CAM table overflow (CAM flooding)


    2. VLAN hopping
    3. Spanning tree manipulation
    4. MAC address spoofing
    5. PVLAN attacks
    6. DHCP attacks
    7. ARP spoofing
    8. IP spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-2


    CAM Table Overflow Attack

    3/25 MAC X
    3/25 MAC Y
    3/25 MAC Z

    3/25 XYZ

    VLAN 10 VLAN 10 BD

    Attacker sees traffic


    to servers B and D
    A B

    C D

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-3


    Port Security

    MAC A

    MAC A MAC D
    MAC E
    MAC F

    Attacker

    Attacker

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-4


    Secure MAC Addresses

    1. Static
    2. Dynamic
    3. Sticky

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-5


    Default Settings

    Default
    Feature Setting
    Disabled
    Port security
    1
    Maximum MAC addresses
    Shutdown
    Violation
    Disabled mode
    Sticky address
    Disabled. learning
    Aging time is 0. When enabled, the default type is absolute.
    Port security aging

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-6


    Configuration Guidelines
     Only on static access ports
     Not on trunk or dynamic access ports
     Not on SPAN port
     Not on EtherChannel port
     Voice VLAN assigned dynamic secure addresses
     On port with voice VLAN, set maximum MAC addresses to two
    plus maximum number of MAC addresses
     Dynamic port security enabled on voice VLAN when security
    enables on access VLAN
     Not configurable on per-VLAN basis
     No aging of sticky addresses
     No simultaneous enabling of protect and restrict options

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-7


    Configuring Port Security

    switch(config-if)#
    switchport mode access
     Set the interface mode as access

    switch(config-if)#
    switchport port-security
     Enable port security on the interface

    switch(config-if)#
    switchport port-security maximum value
     Set the maximum number of secure MAC addresses for the interface
    (optional)

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-8


    Configuring Port Security (Cont.)
    switch(config-if)#
    switchport port-security violation {protect | restrict |
    shutdown}
     Set the violation mode (optional)

    switch(config-if)#
    switchport port-security mac-address mac-address
     Enter a static secure MAC address for the interface (optional)

    switch(config-if)#
    switchport port-security mac-address sticky
     Enable sticky learning on the interface (optional)

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-9


    Configuring Port Security Aging

    switch(config-if)#

    switchport port-security aging {static | time time | type


    {absolute | inactivity}}
     Enable or disable static aging for the secure port, or set the aging
    time or type

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-10


    Verifying Port Security

    sw-class# show port-security


    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
    (Count) (Count) (Count)
    ---------------------------------------------------------------------------
    Fa0/12 1 0 0 Shutdown
    ---------------------------------------------------------------------------
    Total Addresses in System (excluding one mac per port) : 0
    Max Addresses limit in System (excluding one mac per port) : 1024

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-11


    Verifying Port Security (Cont.)

    sw-class# show port-security interface fa0/12


    Port Security : Enabled
    Port Status : Secure-down
    Violation Mode : Shutdown
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 1
    Total MAC Addresses : 1
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address : 0000.0000.0000
    Security Violation Count : 0

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-12


    Verifying Port Security (Cont.)

    sw-class# show port-security address


    Secure Mac Address Table
    -------------------------------------------------------------------
    Vlan Mac Address Type Ports Remaining Age
    (mins)
    ---- ----------- ---- ----- -------------
    1 0000.ffff.aaaa SecureConfigured Fa0/12 -
    -------------------------------------------------------------------
    Total Addresses in System (excluding one mac per port) : 0
    Max Addresses limit in System (excluding one mac per port) : 1024

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-13


    VLAN Hopping

    1.Switch spoofing
    2.Double tagging

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-14


    VLAN Hopping

    • Switch spoofing

    802.1Q VLAN
    10
    Trunk
    nk
    Tru
    Q VLAN Server
    2. 1 20
    80

    Attacker sees traffic to servers Server

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-15


    VLAN Hopping

    • Double tagging

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-16


    Mitigating VLAN Hopping
    switch(config-if)#
    switchport mode access

     Configure port as an access port

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-17


    Mitigating VLAN Hopping

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-18


    Mitigating VLAN Hopping

    Guidelines
    1. Disable all unused ports and place them in an
    unused VLAN.
    2. Set all user ports to nontrunking mode by disabling
    DTP. (It is not a bad idea to set all ports by default to
    access mode and then reconfigure the trunking
    ports as needed.)
    3. For backbone sw itch-to-sw itch connections,
    explicitly config ure trunking and dis-able DTP.
    4. Do not use VLAN 1 as the switch management
    VLAN.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-19


    Spanning Tree Manipulation

    Root
    Bridge

    F F F B

    F
    F F F

    F B F F
    BP TP
    DU
    S
    ST DU
    BP
    P

    Root
    Bridge

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-20


    Mitigating Spanning Tree Manipulation

    switch(config)#
    spanning-tree portfast bpduguard default
     Globally enable BPDU guard on all ports

    switch(config-if)#
    spanning-tree guard root
     Enable root guard on an interface

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-21


    Mitigating Spanning Tree Manipulation

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-22


    MAC Spoofing—Man-in-the-Middle Attacks

    Switch Port Switch Port


    1 2 3 1 2 3
    A B C AB C
    Attacker

    B B

    A MAC A A
    Port 1 Port 2
    Attacker

    Port 3

    C C
    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-23
    PVLAN
    All devices using the private VLAN feature must be
    configured as VTP transparent.

    • Promiscuous ports
    • Community ports
    • Isolated ports

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-24


    PVLAN

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-25


    PVLAN

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-26


    PVLAN Edge

    Protected ports are unable to exchange traffic directly


    between each other without a Layer 3 device. They can,
    however, exchange traffic normally with any unprotected
    ports.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-27


    PVLAN Proxy Attack

    Source Dest
    IP: A C
    A MAC: A B

    172.30.1.0/24

    Promiscuous Port

    Isolated Port

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-28


    Mitigating PVLAN Proxy Attacks

    router(config)# access-list 101 deny ip 172.30.1.0 0.0.0.255


    172.30.1.0 0.0.0.255
    router(config)# access-list 101 permit ip any any
    router(config-if)# ip access-group 101 in

     Build ACL for subnet and apply ACL to interface

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-29


    DHCP Attacks

    1.DHCP Starvation Attack


    2.DHCP Server Spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-30


    ARP Spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-31


    Mitigating ARP Spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-32


    Mitigating ARP Spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-33


    Mitigating ARP Spoofing

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-34


    IP Source Guard

    • Source IP address filtering


    • Source IP and MAC address filtering

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-35


    IP Source Guard

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-36


    Summary

     Switches, and Layer 2 of the OSI model in general, are subject to


    network attacks in unique ways.
     The CAM table overflow attack is an attempt to exploit the fixed hardware
    limitations of the switch's CAM table.
     The port security feature restricts input to an interface by limiting and
    identifying the MAC addresses of the stations allowed to access the port.
     Several commands are available to verify port security configuration and
    operation.
     VLAN hopping exploits the use of 802.1Q.
     Spanning tree manipulation allows the attacker to change the root bridge
    of a network.
     MAC spoofing attacks involve the use of a known MAC address of
    another host.
     PVLAN proxy attacks use a wrong destination MAC address.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-37


    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-38

    You might also like