Sicurezza Informatica e Networking - Security possibilities at layer 2


Published on

Security possibilities at layer 2

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sicurezza Informatica e Networking - Security possibilities at layer 2

  1. 1. Layer 2 Security Wired LANsSecurity Possibilities at Layer 2
  2. 2. Seminario della serie“Small bites”dott. Andrea VirdiDocente di informatica, CCNP
  3. 3. Goals of an InformationSecurity Program• Confidentiality - Prevent the disclosure of sensitive information from unauthorized people, resources, and processes• Integrity - The protection of system information or processes from intentional or accidental modification• Availability - The assurance that systems and data are accessible by authorized users when needed
  4. 4. Information Security Model Information States Information Security Properties Security Measures
  5. 5. Information Security Properties Confidentiality Integrity Availability
  6. 6. Information States Processing Storage Transmission
  7. 7. Security Measures Policy and Procedures Technology Education, Training, and Awareness
  8. 8. Information Security Model Processing Storage Transmission Confidentiality Integrity Availability Policy and Procedures Technology Education, Training, and Awareness
  9. 9. Risk Management• Risk Analysis• Threats• Vulnerabilities• Countermeasures
  10. 10. Risk Management Terms• Vulnerability – a system, network or device weakness• Threat – potential danger posed by a vulnerability• Threat agent – the entity that indentifies a vulnerability and uses it to attack the victim• Risk – likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact• Exposure – potential to experience losses from a threat agent• Countermeasure – put into place to mitigate the potential risk
  11. 11. Types of AttacksStructured attack Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company.
  12. 12. Types of AttacksExternal attacks Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers.Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.
  13. 13. Assertion Intelligence built into the new generation of switches will permit greater control of data as it enters your network
  14. 14. Traditional Network Security OSI Layers 3 and 4 where most network controls are implemented − e.g., can only be contacted on TCP port 80 from subnets beginning with 172.16. Firewall rules and router access lists Specialized devices now looking at layer 7
  15. 15. Traditional Network Security ssecc All uF 1 92. 1 68. 1. 2 on N TCP ot port Full Acc 80 Ful In rt 9 9 v P po ol l Ac n TC ve .2 o 68.1 92.1 d ces 1 ess s F l u Al cc sse
  16. 16. VulnerabilityAttack within subnet  Compromised machines can access others on the same VLAN by default Fu Fu ll ll A Ac Limited Accesse cc ce ss ss
  17. 17. Remediation Private VLANs Promiscuous: talks to any port Isolated: talks only to promiscuous Community: talks only to same community or promiscuous promiscuous isolated community A community Bpromiscuous Yes Yes Yes Yesisolated Yes No No Nocommunity A Yes No Yes Nocommunity B Yes No No Yes
  18. 18. RemediationProtected Ports  Simpler form of a Private VLAN − Protected: similar to Isolated − Not protected: similar to Promiscuous  Only applicable to the local switch however protected not protected protected No Yes not protected Yes Yes
  19. 19. RemediationPrivate VLANs or Protected Ports promiscuous or not protected No No Ac ces Limited Access Ac s ce ssisolated or protected
  20. 20. VulnerabilityBroadcast Storm All devices in VLAN / subnet must handle broadcasts, consuming resources. OS or application bugs may produce constant broadcasts. May also be malicious. busy handling broadcast broadcasts broadcast storm
  21. 21. RemediationStorm Control Can apply to broadcasts, multicasts, or unicasts Set threshold as percentage of bandwidth over a 1 second period If threshold is exceeded, drop this type of packet for next 1 second period
  22. 22. VulnerabilityFlooding for Data Capture or Performance Hit Switches flood to all ports when MAC unknown Switches learn MAC addresses at each port Table of addresses is a finite size address table full flood flood new source MAC starts macof or dsniff
  23. 23. VulnerabilityDHCP Denial of Service Attacker requests new addresses for bogus MACs Finite number of DHCP addresses in a subnet PCs coming on the network can not get address offer re qu es t no address no more addresses starts DHCP Gobbler
  24. 24. RemediationPort Security Limits the source MAC addresses on a port Can specify static addresses or maximum number Violations on ports can − disable port − send trap and syslog − continue forwarding; drop frames with new MACs − continue forwarding; age out MAC entries from inactivity
  25. 25. VulnerabilityDHCP Rogue Server Attacker uses rogue DHCP server to provide false settings (e.g., DNS, default gateway, etc.) good offer bad DHCP provides information true DHCP starts rogue bad request DHCP server offer
  26. 26. RemediationDHCP Snooping Define trusted ports for DHCP responses Untrusted DHCP Trusted DHCP good offer gets good DHCP information starts rogue bad request DHCP server offer
  27. 27. RemediationDHCP Snooping – other vulnerabilities covered Comparison of MAC address in layers 2 and 7 − hardware address must match “chaddr” (client hardware address) field in DHCP packet from untrusted ports − recall DHCP Gobbler attack and Port Security Switch keeps track of the DHCP bindings to prevent DoS release attacks − DHCP releases or declines must have the hardware address match the original bound address
  28. 28. Vulnerability Spanning Tree Root Hijack for Data Capture or Performance Hit Spanning Tree Protocol resolves loops Bridge Protocol Data Units sent from switches Loops broken based on root selection STP block BPDU BPDUconnects to both switches becomes root bridgesends BPDU root frames
  29. 29. RemediationBPDU Guard BPDUs should not be received on an access port BPDU receipt may indicate unauthorized switch or hub, or an attack BPDU receipt puts port into error disabled mode
  30. 30. VulnerabilityARP Table Poisoning ARPs (Address Resolution Protocol) associate layer 3 addresses to layer 2 (IP to MAC) Requests are broadcast Responses unauthenticated and can be sent without a request (gratuitous) ARP tables poisoned hijack hijack I am I am also PC A Router starts ettercap
  31. 31. RemediationDynamic ARP Inspection Validates against DHCP Snooping binding table (if DHCP Snooping used) Can build access lists of MAC and IP pairs for non- DHCP environments or set port to be trusted Can limit the rate of ARPs to prevent DoS attacks
  32. 32. VulnerabilityIP Address Spoofing  Attacker sends packet with spoofed source IP address  Victim’s response packet dies or goes to wrong source (another victim) dest. source 192.168.1. 1
  33. 33. RemediationIngress Access List RFC 2827 normally done by router can be done at layer 2 device closer to end device Helps protect other devices on subnet Source IP address should always be for DHCP request or within subnet (e.g., 207.206.205.x) − Vulnerability: Attacker could still use another IP address within that subnet
  34. 34. RemediationIP Source Guard Based on DHCP Snooping — source IP address must be the one listed in DHCP Snooping table. Can add static mappings for non-DHCP devices Can also check MAC address source source
  35. 35. Conclusion Private VLANs Attack within subnet Protected Ports Broadcast storm Storm Control MAC Flooding Port Security DHCP DoS DHCP Snooping DHCP rogue BPDU Guard Spanning Tree hijack Dynamic ARP Inspection ARP table poisoning Anti-spoofing access lists IP address spoofing IP Source Guard