Beruflich Dokumente
Kultur Dokumente
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Skip to content
Home
Consulting/About Me
Contact Me
Mikrotik Training Videos
Cacti Video Tutorials
Dec 14 / Greg
1/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Man in the middle...you are Bob and all your base are belong to us
So as you can imagine, if you manage a hotel or apartment complex, this could be a HUGE problem. This could be a problem for enterprises also, but for
more or less shared public infrastructure, this is scary.
Rogue DHCP on a segment
What is a rouge DHCP server? This is when you have an unauthorized DHCP server handing out IP addresses on your network. Why is this a problem? A
DHCP request fulfillment is really a foot race. You can have many DHCP servers on a single LAN segment, but whichever gets its answer back to the
requesting host, wins. So, if your legitimate DHCP server is 20 milliseconds away and the rogue is 5 milliseconds away, guess who will win the race? This is a
http://gregsowell.com/?p=1133
2/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
problem because rogues will generally give you a false path to the internet. They could create a man in the middle attack as above. They can hand you an IP
address and say that they are the router to the internet. You will pass all your traffic to them and they will relay it on. Most often we see rogues in apartment
complex networks. This is due to the fact that users will plug their wireless routers in backwards and start handing out IP addresses. There is no malicious
intent in this second scenario, but they can take out large portions of your apartment users!
Improperly connected wireless router is closer, and responds faster...so now you are getting a junk IP and
Default Route
DHCP starvation attack
A starvation attack is when a user spoofs tons of MAC addresses and requests a DHCP address from each MAC. This means that a single attacker can
accept and hold all of your DHCP addresses, thus not allowing your legitimate users to pull an address.
http://gregsowell.com/?p=1133
3/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
http://gregsowell.com/?p=1133
4/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
ARP attacking a switch to overrun the MAC Address table - again, all your traffic are come to me
Configuration
So, now we have a few compelling reasons why we need L2 security, how do we do it? The first thing you do is get yourself some Cisco switches:) I have
no idea how to do it with anything else. I know Juniper/Procurve will do it, but exactly how is a mystery to me. So now that Ive told you get Cisco, I must tell
you which models support our features. As far as the 1U switching line, you will need at least a 3550 or above. This covers 3560s and 3750s. If you are going
with say a 6500 series switch, you will need at minimum a Sup32. A 3550 24 port will run you around $150. A 3550 48 port will run you around $190.
Port security
Time to get to the real configuration. What we are going to kick on 1st is port security. This sets a limit on the number of MAC addresses that can be learned
http://gregsowell.com/?p=1133
5/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
via a single switch port. Setting port security will help to protect our DHCP server from a starvation attack. I generally like to set the number of allowed MAC
addresses to 10. You have to remember that if you are using Cisco phones and you are piggy backing your PC off of it, you will be required to allow at least 2
MAC addresses. Some switches will see the initial CDP message come from the phone and consider this a separate MAC, so on these switches you would
need 3 MAC allowances. The easiest thing I have found is to simply allow 10 MACs. Port security is configured on a per port basis.
1 interface FastEthernet0/1
2 switchport port-security maximum 10 !sets max MACs to 10
3 switchport port-security !enables port security
4 switchport port-security aging time 30 ! sets the time in minutes that MAC addresses will timeout
5 switchport port-security violation restrict !sets the violate action to restrict - default is err disable port
6 switchport port-security aging type inactivity !sets the aging type to only start when there is no activity on the port
In the above example you see that I upload the DSBT to an TFTP server. I do this so that when a switch looses power it will repopulate its DSBT. This
doesnt seem like that big a deal because windows hosts and Mac hosts will pull DHCP when an interfaces loses connectivity, so they will be ok. A lot of
Linux hosts, however, wont reDHCP when their interfaces lose connectivity.
By default, when you turn on DS all ports are considered untrusted. You will need to mark the to specify trusted interface. A trusted interface is an interface
where the DHCP server should be coming from. If you are on an edge switch and you dont physically have the DHCP server plugged into it, you will need to
set the trunk ports as trusted ports!
1 interface GigabitEthernet0/1
http://gregsowell.com/?p=1133
6/17
11/20/2014
2
3
4
5
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
You can also set a packet per second rate limit per port.
1 interface FastEthernet0/1
2 ip dhcp snooping limit rate 50 !50 PPS
We also have to mark which ports are trusted ports. These are ports we dont inspect on. Your trunk ports will always need to be trustedunless you want
to black hole your traffic?
1 interface GigabitEthernet0/1
2 switchport trunk encapsulation dot1q
3 switchport trunk allowed vlan 10
4 switchport mode trunk
5 ip arp inspection trust !marked as trusted
Also, by default he does an ARP packet per second limiting. The default is 15 PPS, I generally up this to 50.
1 interface FastEthernet0/1
2 ip arp inspection limit rate 50
When the PPS rate limit is violated, the switch port will err disable. I recommend doing error recovery for this reason:
1 errdisable recovery cause arp-inspection !enables recovery for arp-inspection PPS events
2 errdisable recovery interval 14400 ! this value is in seconds. I have this set to 4 hours
http://gregsowell.com/?p=1133
7/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship
2. Greg / Dec 30 2009
Ronald :
Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship
Ronald,
Thanks. Definitely give it a swing. I know it gives me that warm and cozy feeling knowing I have my users on lock downhehe.
3. Kenneth / Mar 23 2010
http://gregsowell.com/?p=1133
8/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Kenneth :
This is very Pro. easy to understand.
Thanks Ken. Im glad it helped
5. Vdelarenal / Mar 25 2010
Hi, can you recommend me a cisco switch for doing this on a 300 users network?
Thanks.
6. Greg / Mar 26 2010
Vdelarenal :
Hi, can you recommend me a cisco switch for doing this on a 300 users network?
Thanks.
Why not the 6509? This way you have a single chassis to manage.
You could always stack a bunch of 3550s if you want to save money.
3750s are the cheapest stackable Cisco, but it would be cheaper to put in a single 6509.
7. sunny / Apr 26 2010
http://gregsowell.com/?p=1133
9/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Very nice article, i need to implement all these feature in my LAN (psecure, dhcp snooping and DAI) this has helped me lottt. but missing some thing
like dhcp snooing information options, which i may need since i have a firewalled network where my dhcp server is in another interface from the local
user interface. but still greatKen. thanks..
8. Greg / Apr 26 2010
Ken,
I have DHCP snooping in there
9. Benny / May 7 2010
Name (required)
Email (required, will not be published)
Website
http://gregsowell.com/?p=1133
10/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Comment
Comments Feed
CAPTCHA Code *
Subscribe to comments on this post
Submit Comment
Archives
November 2014
September 2014
August 2014
July 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
September 2013
http://gregsowell.com/?p=1133
11/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
http://gregsowell.com/?p=1133
12/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
Categories
Access Control
Arduino
Asterisk
Asterixk
Autoit
Cabling
Cacti
Cacti Tutorials
Cacti Video Tutorial
CallManager
Chromecast
Cisco
Cisco ASA
Class Video
http://gregsowell.com/?p=1133
13/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Dude
Fun
Hardware
Hotspot
Linux
Mikrotik
Mikrotik Tutorials
Mikrotik Video Tutorial
My Thumb Drive
MySQL
Networking
PLC
Pop Quiz
Programming/Scripting
SCADA
Script
Security
Server
Template
TheBrothersWISP
Thoughts
Training/Classes
Ubiquiti
Uncategorized
Vmware
VOIP
Windows
Wireless
Pages
Cacti Video Tutorials
Consulting/About Me
Contact Me
Mikrotik Training Videos
http://gregsowell.com/?p=1133
14/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Blogroll
Andrew's Blog
JJ's Blog
Justin Miller's Blog
Justin Wilson's Blog
Packet Life
Cacti Links
Cacti.net
Cactiusers
Cactiusers blog
Contact Me
Contact Me
Ads
Links
Andrew's Blog
Cacti.net
Cactiusers
Cactiusers blog
Contact Me
http://gregsowell.com/?p=1133
15/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Categories
Access Control
Arduino
Asterisk
Asterixk
Autoit
Cabling
Cacti
Cacti Tutorials
Cacti Video Tutorial
CallManager
Chromecast
Cisco
Cisco ASA
Class Video
Dude
Fun
Hardware
Hotspot
Linux
Mikrotik
Mikrotik Tutorials
Mikrotik Video Tutorial
My Thumb Drive
MySQL
Networking
PLC
Pop Quiz
Programming/Scripting
SCADA
Script
Security
Server
Template
TheBrothersWISP
http://gregsowell.com/?p=1133
16/17
11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Thoughts
Training/Classes
Ubiquiti
Uncategorized
Vmware
VOIP
Windows
Wireless
Pages
Cacti Video Tutorials
Consulting/About Me
Contact Me
Mikrotik Training Videos
Archives
November 2014
September 2014
August 2014
July 2014
May 2014
Search
Type and press enter
http://gregsowell.com/?p=1133
17/17