Turning Off Unused Network Interfaces and Services
Why Worry About Layer 2 Security? Host B Host A Physical Links MAC Addresses IP Addresses Protocols and Ports Application Stream OSI was built to allow different layers to work without knowledge of each other. Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical
If one layer is hacked, communications are compromised without the other layers being aware of the problem.
Security is only as strong as your weakest link.
When it comes to networking, Layer 2 can be a very weak link.
MAC Addresses Physical Links IP Addresses Protocols and Ports Application Stream Compromised Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise
The attacker sends double-encapsulated 802.1Q frames.
The switch performs only one level of decapsulation.
Only unidirectional traffic is passed.
The attack works even if the trunk ports are set to “off”.
Attacker (VLAN 10) Victim (VLAN 20) Frame Note: This attack works only if the trunk has the same native VLAN as the attacker. 802.1Q, 802.1Q 802.1Q, Frame 20 10 20 Trunk (Native VLAN = 10) Note: There is no way to execute these attacks unless the switch is misconfigured. The first switch strips off the first tag and sends it back out.
On booting the switch, STP identifies one switch as a root bridge and blocks other redundant data paths.
STP uses BPDUs to maintain a loop-free topology.
X F F F F B F F F F = Forwarding Port B = Blocking Port A Root B
STP Attack (Cont.) F The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F Root B X Root F F F F B F X STP STP
Mitigating STP Attacks with bpdu-guard and guard root Commands
Mitigates STP manipulation with bpduguard command
Mitigates STP manipulation with guard root command
10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping.
10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
“Learns” by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port A 1 C 3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C “sees” traffic to MAC B. A->B A->B
CAM Learns MAC B Is on Port 2 B->A B->A MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. MAC A = host A MAC B = host B MAC C = host C
CAM Table Is Updated — Flooding Stops A->B A->B MAC A MAC B MAC C Port 1 MAC Port A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. CAM tables are limited in size. MAC A = host A MAC B = host B MAC C = host C MAC C does not “see” traffic to MAC B anymore.
Intruder Launches macof Utility Y->? MAC A MAC B Port 1 Port 2 Port 3 MAC C Bogus addresses are added to the CAM table. MAC Port A 1 B 2 C 3 MAC Port X 3 B 2 C 3 MAC Port X 3 Y 3 C 3 X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated.
The CAM Table Overflows — Switch Crumbles Under the Pressure The CAM table is full, so Port 3 is closed. MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MAC Port X 3 Y 3 C 3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C A->B A->B
MAC Address Spoofing Attack A A A A B B (Attacker) B Switch Port Table B DEST MAC: A DEST MAC: A Switch Port Table 1 1 1 1 2 3 2 3 2 3 2 3 Host Host Host Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC: MAC (A) SRC = Source DEST = Destination 1 1 1 1 2 2 2 2 3 3 3 3 A B C A B C A B C A,B C
A station whose MAC address is not in the address table attempts to access the interface when the table is full.
An address is being used on two secure interfaces in the same VLAN .
Port Security Defaults Shutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.) Violation mode 1 Maximum number of secure MAC addresses Disabled on a port Port security Default Setting Feature
Configuring Port Security on a Cisco Catalyst Switch
Enter global configuration mode.
Enter interface configuration mode for the port that you want to secure.
Enable basic port security on the interface.
Set the maximum number of MAC addresses allowed on this interface.
Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords: