Layer 2 Security        Wired LANsSecurity Possibilities at Layer 2
Seminario della serie“Small bites”dott. Andrea VirdiDocente di informatica, CCNP instructorandreavirdi@gmail.cominfo@learn...
Goals of an InformationSecurity Program• Confidentiality   - Prevent the disclosure of sensitive information from     unau...
Information Security Model                      Information States   Information   Security   Properties                  ...
Information Security Properties      Confidentiality            Integrity         Availability
Information States              Processing                      Storage                                Transmission
Security Measures                            Policy and Procedures                    Technology            Education, Tra...
Information Security Model                    Processing                          Storage                                 ...
Risk Management• Risk Analysis• Threats• Vulnerabilities• Countermeasures
Risk Management Terms• Vulnerability – a system, network or device  weakness• Threat – potential danger posed by a vulnera...
Types of AttacksStructured attack  Come from hackers who are more highly motivated and technically  competent. These peopl...
Types of AttacksExternal attacks  Initiated by individuals or groups working outside of a company.  They do not have autho...
Assertion  Intelligence built into the new  generation of switches will  permit greater control of data as  it enters your...
Traditional Network Security    OSI Layers 3 and 4 where most network    controls are implemented    −   e.g.,192.168.1.2...
Traditional Network Security                                             ssecc All uF     1 92. 1               68. 1.    ...
VulnerabilityAttack within subnet      Compromised machines can access others on     the same VLAN by default           F...
Remediation Private VLANs    Promiscuous: talks to any port    Isolated:    talks only to promiscuous    Community: tal...
RemediationProtected Ports      Simpler form of a Private VLAN      −   Protected: similar to Isolated      −   Not prote...
RemediationPrivate VLANs or Protected Ports                                     promiscuous                               ...
VulnerabilityBroadcast Storm    All devices in VLAN / subnet must handle broadcasts,    consuming resources.    OS or ap...
RemediationStorm Control    Can apply to broadcasts, multicasts, or    unicasts    Set threshold as percentage of bandwi...
VulnerabilityFlooding for Data Capture or Performance Hit    Switches flood to all ports when MAC unknown    Switches le...
VulnerabilityDHCP Denial of Service    Attacker requests new addresses for bogus MACs    Finite number of DHCP addresses...
RemediationPort Security    Limits the source MAC addresses on a port    Can specify static addresses or maximum number...
VulnerabilityDHCP Rogue Server     Attacker uses rogue DHCP server to provide false     settings (e.g., DNS, default gate...
RemediationDHCP Snooping    Define trusted ports for DHCP responses                                                     U...
RemediationDHCP Snooping – other vulnerabilities covered    Comparison of MAC address in layers 2 and 7    −   hardware a...
Vulnerability  Spanning Tree Root Hijack  for Data Capture or Performance Hit    Spanning Tree Protocol resolves loops  ...
RemediationBPDU Guard    BPDUs should not be received on an access port    BPDU receipt may indicate unauthorized switch...
VulnerabilityARP Table Poisoning  ARPs (Address Resolution Protocol) associate layer 3  addresses to layer 2 (IP to MAC)...
RemediationDynamic ARP Inspection    Validates against DHCP Snooping binding table (if    DHCP Snooping used)    Can bui...
VulnerabilityIP Address Spoofing    Attacker sends packet with spoofed source IP address    Victim’s response packet die...
RemediationIngress Access List    RFC 2827 normally done by router can be done at    layer 2 device closer to end device...
RemediationIP Source Guard    Based on DHCP Snooping — source IP address must    be the one listed in DHCP Snooping table...
Conclusion                           Private VLANs    Attack within subnet                           Protected Ports    ...
Upcoming SlideShare
Loading in...5
×

Sicurezza Informatica e Networking - Security possibilities at layer 2

371

Published on

Security possibilities at layer 2

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
371
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sicurezza Informatica e Networking - Security possibilities at layer 2

  1. 1. Layer 2 Security Wired LANsSecurity Possibilities at Layer 2
  2. 2. Seminario della serie“Small bites”dott. Andrea VirdiDocente di informatica, CCNP instructorandreavirdi@gmail.cominfo@learningconnections.it
  3. 3. Goals of an InformationSecurity Program• Confidentiality - Prevent the disclosure of sensitive information from unauthorized people, resources, and processes• Integrity - The protection of system information or processes from intentional or accidental modification• Availability - The assurance that systems and data are accessible by authorized users when needed
  4. 4. Information Security Model Information States Information Security Properties Security Measures
  5. 5. Information Security Properties Confidentiality Integrity Availability
  6. 6. Information States Processing Storage Transmission
  7. 7. Security Measures Policy and Procedures Technology Education, Training, and Awareness
  8. 8. Information Security Model Processing Storage Transmission Confidentiality Integrity Availability Policy and Procedures Technology Education, Training, and Awareness
  9. 9. Risk Management• Risk Analysis• Threats• Vulnerabilities• Countermeasures
  10. 10. Risk Management Terms• Vulnerability – a system, network or device weakness• Threat – potential danger posed by a vulnerability• Threat agent – the entity that indentifies a vulnerability and uses it to attack the victim• Risk – likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact• Exposure – potential to experience losses from a threat agent• Countermeasure – put into place to mitigate the potential risk
  11. 11. Types of AttacksStructured attack Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company.
  12. 12. Types of AttacksExternal attacks Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.
  13. 13. Assertion Intelligence built into the new generation of switches will permit greater control of data as it enters your network
  14. 14. Traditional Network Security OSI Layers 3 and 4 where most network controls are implemented − e.g.,192.168.1.2 can only be contacted on TCP port 80 from subnets beginning with 172.16. Firewall rules and router access lists Specialized devices now looking at layer 7
  15. 15. Traditional Network Security ssecc All uF 1 92. 1 68. 1. 2 on N TCP ot port Full Acc 80 Ful In rt 9 9 v P po ol l Ac n TC ve .2 o 68.1 92.1 d ces 1 ess s F l u Al cc sse
  16. 16. VulnerabilityAttack within subnet  Compromised machines can access others on the same VLAN by default Fu Fu ll ll A Ac Limited Accesse cc ce ss ss
  17. 17. Remediation Private VLANs Promiscuous: talks to any port Isolated: talks only to promiscuous Community: talks only to same community or promiscuous promiscuous isolated community A community Bpromiscuous Yes Yes Yes Yesisolated Yes No No Nocommunity A Yes No Yes Nocommunity B Yes No No Yes
  18. 18. RemediationProtected Ports  Simpler form of a Private VLAN − Protected: similar to Isolated − Not protected: similar to Promiscuous  Only applicable to the local switch however protected not protected protected No Yes not protected Yes Yes
  19. 19. RemediationPrivate VLANs or Protected Ports promiscuous or not protected No No Ac ces Limited Access Ac s ce ssisolated or protected
  20. 20. VulnerabilityBroadcast Storm All devices in VLAN / subnet must handle broadcasts, consuming resources. OS or application bugs may produce constant broadcasts. May also be malicious. busy handling broadcast broadcasts broadcast storm
  21. 21. RemediationStorm Control Can apply to broadcasts, multicasts, or unicasts Set threshold as percentage of bandwidth over a 1 second period If threshold is exceeded, drop this type of packet for next 1 second period
  22. 22. VulnerabilityFlooding for Data Capture or Performance Hit Switches flood to all ports when MAC unknown Switches learn MAC addresses at each port Table of addresses is a finite size address table full flood flood new source MAC starts macof or dsniff
  23. 23. VulnerabilityDHCP Denial of Service Attacker requests new addresses for bogus MACs Finite number of DHCP addresses in a subnet PCs coming on the network can not get address offer re qu es t no address no more addresses starts DHCP Gobbler
  24. 24. RemediationPort Security Limits the source MAC addresses on a port Can specify static addresses or maximum number Violations on ports can − disable port − send trap and syslog − continue forwarding; drop frames with new MACs − continue forwarding; age out MAC entries from inactivity
  25. 25. VulnerabilityDHCP Rogue Server Attacker uses rogue DHCP server to provide false settings (e.g., DNS, default gateway, etc.) good offer bad DHCP provides information true DHCP starts rogue bad request DHCP server offer
  26. 26. RemediationDHCP Snooping Define trusted ports for DHCP responses Untrusted DHCP Trusted DHCP good offer gets good DHCP information starts rogue bad request DHCP server offer
  27. 27. RemediationDHCP Snooping – other vulnerabilities covered Comparison of MAC address in layers 2 and 7 − hardware address must match “chaddr” (client hardware address) field in DHCP packet from untrusted ports − recall DHCP Gobbler attack and Port Security Switch keeps track of the DHCP bindings to prevent DoS release attacks − DHCP releases or declines must have the hardware address match the original bound address
  28. 28. Vulnerability Spanning Tree Root Hijack for Data Capture or Performance Hit Spanning Tree Protocol resolves loops Bridge Protocol Data Units sent from switches Loops broken based on root selection STP block BPDU BPDUconnects to both switches becomes root bridgesends BPDU root frames
  29. 29. RemediationBPDU Guard BPDUs should not be received on an access port BPDU receipt may indicate unauthorized switch or hub, or an attack BPDU receipt puts port into error disabled mode
  30. 30. VulnerabilityARP Table Poisoning ARPs (Address Resolution Protocol) associate layer 3 addresses to layer 2 (IP to MAC) Requests are broadcast Responses unauthenticated and can be sent without a request (gratuitous) ARP tables poisoned hijack hijack I am I am also PC A Router starts ettercap
  31. 31. RemediationDynamic ARP Inspection Validates against DHCP Snooping binding table (if DHCP Snooping used) Can build access lists of MAC and IP pairs for non- DHCP environments or set port to be trusted Can limit the rate of ARPs to prevent DoS attacks
  32. 32. VulnerabilityIP Address Spoofing  Attacker sends packet with spoofed source IP address  Victim’s response packet dies or goes to wrong source (another victim) dest. 192.168.1.1 source 192.168.1. 1
  33. 33. RemediationIngress Access List RFC 2827 normally done by router can be done at layer 2 device closer to end device Helps protect other devices on subnet Source IP address should always be 0.0.0.0 for DHCP request or within subnet (e.g., 207.206.205.x) − Vulnerability: Attacker could still use another IP address within that subnet
  34. 34. RemediationIP Source Guard Based on DHCP Snooping — source IP address must be the one listed in DHCP Snooping table. Can add static mappings for non-DHCP devices Can also check MAC address source source 192.168.1.1
  35. 35. Conclusion Private VLANs Attack within subnet Protected Ports Broadcast storm Storm Control MAC Flooding Port Security DHCP DoS DHCP Snooping DHCP rogue BPDU Guard Spanning Tree hijack Dynamic ARP Inspection ARP table poisoning Anti-spoofing access lists IP address spoofing IP Source Guard

×