1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2...

1© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet security

Ethernet: Layer 2 Security

Eric Vyncke

Cisco Systems

Distinguished Engineer

[email protected]

222© 2003, Cisco Systems, Inc. All rights reserved.Vyncke ethernet layer 2 security

The Domino Effect• Unfortunately this means if one layer is hacked, communications are

compromised without the other layers being aware of the problem• Security is only as strong as your weakest link• When it comes to networking, layer 2 can be a VERY weak link

Physical LinksPhysical Links

MAC AddressesMAC Addresses

IP AddressesIP Addresses

Protocols/PortsProtocols/Ports

Application StreamApplication StreamApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

Data LinkData Link

PhysicalPhysical

Initial CompromiseInitial Compromise

Co

mp

rom

ise

dC

om

pro

mis

ed


MAC Attacks


MACMAC portport

AA 11

BB 22

CC 33

X->?

X is on port 3

MACMAC portport

XX 33

BB 22

CC 33

MACMAC portport

XX 33

YY 33

CC 33

Y is on port 3

MAC A

MAC B

MAC C

Port 1Port 2

Port 3

Y->?

CAM Overflow 1/2


MACMAC portport

XX 33

YY 33

CC 33

A->B

B unknown…flood the frame

I see trafficto B !MAC A

MAC B

MAC C

Port 1Port 2

Port 3 A->BA->

B

CAM Overflow 2/2


MAC Flooding Attack Mitigation

• Port SecurityPort Security

Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port

Upon detection of an invalid MAC block only the offending MAC or just shut down the port

• Smart CAM tableSmart CAM table

Never overwrite existing entries

Only time-out inactive entries

Active hosts will never be overwritten

• Speak firstSpeak first

Deviation from learning bridge: never flood

Requires a hosts to send traffic first before receiving


ARP Attacks


ARP Spoofing

IP aMAC A

IP bMAC B

IP cMAC C

• C is sending faked gratuitous ARP reply to A

• C sees traffic from IP a to IP b

C->A, ARP, b=C

C->A, ARP, b=CA->C, IP, a->b

A->C, IP, a->b

C->B, IP, a->b

C->B, IP, a->b


Mitigating ARP Spoofing

• ARP spoofing works only within one VLAN

• static ARP tablestatic ARP table on critical stations (but dynamic ARP override static ARP on most hosts!)

• ARP ACLARP ACL: checking ARP packets within a VLAN

Either by static definition

Or by snooping DHCP for dynamic leases

• No direct communicationNo direct communication among a VLAN: private VLAN

Spoofed ARP packet cannot reach other hosts


PromiscuousPort

PromiscuousPort

IsolatedPorts

Primary VLAN

Isolated VLAN

xx xx

ARP Spoof Mitigation: Private VLANs


VLAN “Hopping” Attacks


Trunk Port Refresher

• Trunk ports have access to all VLANs by default

• Used to route traffic for multiple VLANs across the same physical link (generally used between switches)

Trunk Port


Basic VLAN Hopping Attack

• A station can spoof as a switch with 802.1Q signaling • The station is then member of all VLANs• Requires a trunking favorable setting on the port (the SANS

paper is three years old)http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

Trunk Port

Trunk Port


Double Encapsulated 802.1Q VLAN Hopping Attack

• Send double encapsulated 802.1Q frames

• Switch performs only one level of decapsulation

• Unidirectional traffic only

• Works even if trunk ports are set to off

Attacker

Note: Only Works if Trunk Has the Same Native VLAN as the AttackerNote: Only Works if Trunk Has the Same Native VLAN as the Attacker

Victim

802.1q, 802.1q

802.1q, Frame

Strip off First, and Send Back out

Frame


Mitigation

• Use recent switches

• Disable auto-trunking

• Never put host in the trunk native VLAN

• Put unused ports in an unused VLAN


Spanning Tree Attacks


Spanning Tree Basics

Loop-Free Connectivity

XX

A Switch Is Elected as Root

FFFFF

FFBB

F

FF

A ‘Tree-Like’ Loop-Free Topology

Is Established

FF

ARootRoot

B


Spanning Tree Attack Example 1/2

• Send BPDU messages from attacker to force spanning tree recalculations

Impact likely to be DoS

• Send BPDU messages to become root bridge

Attacker

Access Switches

RootRoot

FF

FF

FF

FF

XXBB

FF

S

TP

S

TP


BB

FF

Spanning Tree Attack Example 2/2

• Send BPDU messages from attacker to force spanning tree recalculations

Impact likely to be DoS

• Send BPDU messages to become root bridge

The hacker then sees frames he shouldn’t

MITM, DoS, etc. all possible

Any attack is very sensitive to the original topology, trunking, PVST, etc.

Requires attacker to be dual homed to two different switches

Attacker

Access SwitchesRootRoot

FF

FF

FF

FF

FF

RootRoot

BBXX


STP Attack Mitigation

• Disable STPDisable STP (It is not needed in loop free topologies)

• BPDU GuardBPDU GuardDisables ports upon detection of a BPDU message on the port

• Root GuardRoot GuardDisables ports who would become the root bridge due to their BPDU advertisement


Other Attacks


DHCP Rogue Server Attack

• Simply the installation of an unknown DHCP Server in the local subnet

• Other attack: exhaustion of DHCP pools

• RFC 3118 “Authentication for DHCP Messages” will help, but has yet to be implemented

• Mitigation:

Consider using multiple DHCP servers for the different security zones of your network

Use intra VLAN ACL to block DHCP traffic from unknown server


ProActive Defense


Wire-Speed Access Control Lists

• Many current switches offer wire-speed ACLs to control traffic flows (with or without a router port)

• Allows implementation of edge filtering that might otherwise not be deployed due to performance concerns

• VLAN ACLs and Router ACLs are typically the two implementation methods


Network Intrusion Detection System

• Network IDS are now able to

Understand trunking protocols

Fast enough to handle 1 Gbps

Including management of alerts !

Understand layer 2 attacks


802.1x

• 802.1x is an IEEE Standard for Port Based Network Access Control

EAP based

Improved user authentication: username and password

Can work on plain 802.3 or 802.11


IEEE 802.1X Terminology

AuthenticatorAuthenticator(e.g. Switch, (e.g. Switch,

Access Point)Access Point)

SupplicantSupplicant

Enterprise NetworkEnterprise NetworkSemi-Public Network /Semi-Public Network /Enterprise EdgeEnterprise Edge

AuthenticationAuthenticationServerServer

RADIUS

EAP Over Wireless (EAPOW)

EAP Over Wireless (EAPOW)

Encrypted RADIUS

Encrypted RADIUS

EAP Over LAN (EAPOL)

EAP Over LAN (EAPOL)


What Does it Do?

• Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads.

• The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information.

• Three forms of EAP are specified in the standard

EAP-MD5 – MD5 Hashed Username/Password

EAP-OTP – One-Time Passwords

EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) - Preferred Method Of Authentication

802.1x Header EAP Payload


Example Solution “A”—Access Control and User Policy Enforcement

Login Request

Credentials

Check with Policy DBLogin Good!Apply Policies

This Is John Doe!He Goes into VLAN 5

User Has Access to Network, with

Applicable VLAN

• Set port VLAN to 5Switch Applies Policies and Enables Port


Example Solution “B” – Access For Guest Users

Login Request

User has access to DMZ or “Quarantine” network.

Switch applies policies and enables port.

Login Request

Login Request

Authentication timeout.Retries expired.

Client is not 802.1x capable.Put them in the quarantine zone!

•Set port VLAN to 100 - DMZ•Set port QoS Tagging to 7•Set QoS rate limit for 2Mbps


Summary


Layer 2 Security Best Practices 1/2

• Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.)

• Always use a dedicated VLAN ID for all trunk ports

• Be paranoid: do not use VLAN 1 for anything

• Set all user ports to non trunking

• Deploy port-security where possible for user ports

• Selectively use SNMP and treat community strings like root passwords

• Have a plan for the ARP security issues in your network


Layer 2 Security Best Practices 2/2

• Enable STP attack mitigation (BPDU Guard, Root Guard)

• Use private VLANs where appropriate to further divide L2 networks

• Disable all unused ports and put them in an unused VLAN

• Consider 802.1X for middle term

All of the Preceding Features Are Dependant on Your Own Security Policy

All of the Preceding Features Are Dependant on Your Own Security Policy


Final Word

• Switches were not designed for security

• Now, switches are designed with security in mind

• In most cases, with good configuration, they can even enhance your network security

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2...

Documents

Transcript of 1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2...