Layer 2 Security - Protect You and Your Users From Attack

11/20/2014
Layer 2 Security Protect You and Your Users From Attack | Greg Sowell Consulting
Skip to content
Home
Consulting/About Me
Contact Me
Mikrotik Training Videos
Cacti Video Tutorials
Dec 14 / Greg
Layer 2 Security Protect You and Your Users From Attack

Before your access lists or firewall rules comes layer 2(L2). This is the Data link layer where your MAC addressing lives. Why do we need to protect
L2?
Man in the middle attacks happen via L2
Rogue DHCP on a single segment
DHCP server starvation attack
ARP attacks against your switches
Lets hit these guys one at a time:
http://gregsowell.com/?p=1133
1/17
11/20/2014
Man in the middle attack

What is a man in the middle attack? Heres what wikipedia says about it. In a nutshell I tell the router that I am you, and I tell you that I am the router. What
happens is that all your traffic passes through mewhile I intercept everything possible about what you are doing. I wait for you to attempt a bank transaction
and hand you a bunk site certificate and steal your monies I do this by sending gratuitous ARPs. These are unprovoked ARP announcements. I send ARPs
over and over to the router saying Im you. I then send you ARPs over and over saying that I am the router.
Man in the middle...you are Bob and all your base are belong to us
So as you can imagine, if you manage a hotel or apartment complex, this could be a HUGE problem. This could be a problem for enterprises also, but for
more or less shared public infrastructure, this is scary.
Rogue DHCP on a segment
What is a rouge DHCP server? This is when you have an unauthorized DHCP server handing out IP addresses on your network. Why is this a problem? A
DHCP request fulfillment is really a foot race. You can have many DHCP servers on a single LAN segment, but whichever gets its answer back to the
requesting host, wins. So, if your legitimate DHCP server is 20 milliseconds away and the rogue is 5 milliseconds away, guess who will win the race? This is a
2/17
11/20/2014
problem because rogues will generally give you a false path to the internet. They could create a man in the middle attack as above. They can hand you an IP
address and say that they are the router to the internet. You will pass all your traffic to them and they will relay it on. Most often we see rogues in apartment
complex networks. This is due to the fact that users will plug their wireless routers in backwards and start handing out IP addresses. There is no malicious
intent in this second scenario, but they can take out large portions of your apartment users!
Improperly connected wireless router is closer, and responds faster...so now you are getting a junk IP and
Default Route
DHCP starvation attack
A starvation attack is when a user spoofs tons of MAC addresses and requests a DHCP address from each MAC. This means that a single attacker can
accept and hold all of your DHCP addresses, thus not allowing your legitimate users to pull an address.
3/17
11/20/2014
I've taken all the DHCP IPs...now you can't pull an IP

ARP attacks against our switches
Ive got a 6509, why should I bother with one little guy ARP attacking me? Because even a Cisco 6500 will only hold about 120K MAC addresses in its
MAC-Address table(per VLAN) before it gets overrun. Once your fancy switch is overrun and the MAC table is full, it turns into a fancy hub! So, all of your
super secret traffic you dont want anyone else to see is now getting broadcast out every port configured for that access VLAN or untagged for that VLAN. I
just got you again. You know whats even better is that my ARP will propagate through your fancy 6500 and down to your not so fancy edge switches that
can handle even less trafficsnapI just got you again. You also realize that this attack can reach maturity in around 10-20 seconds?
4/17
11/20/2014
ARP attacking a switch to overrun the MAC Address table - again, all your traffic are come to me
Configuration
So, now we have a few compelling reasons why we need L2 security, how do we do it? The first thing you do is get yourself some Cisco switches:) I have
no idea how to do it with anything else. I know Juniper/Procurve will do it, but exactly how is a mystery to me. So now that Ive told you get Cisco, I must tell
you which models support our features. As far as the 1U switching line, you will need at least a 3550 or above. This covers 3560s and 3750s. If you are going
with say a 6500 series switch, you will need at minimum a Sup32. A 3550 24 port will run you around $150. A 3550 48 port will run you around $190.
Port security
Time to get to the real configuration. What we are going to kick on 1st is port security. This sets a limit on the number of MAC addresses that can be learned
5/17
11/20/2014
via a single switch port. Setting port security will help to protect our DHCP server from a starvation attack. I generally like to set the number of allowed MAC
addresses to 10. You have to remember that if you are using Cisco phones and you are piggy backing your PC off of it, you will be required to allow at least 2
MAC addresses. Some switches will see the initial CDP message come from the phone and consider this a separate MAC, so on these switches you would
need 3 MAC allowances. The easiest thing I have found is to simply allow 10 MACs. Port security is configured on a per port basis.
1 interface FastEthernet0/1
2 switchport port-security maximum 10 !sets max MACs to 10
3 switchport port-security !enables port security
4 switchport port-security aging time 30 ! sets the time in minutes that MAC addresses will timeout
5 switchport port-security violation restrict !sets the violate action to restrict - default is err disable port
6 switchport port-security aging type inactivity !sets the aging type to only start when there is no activity on the port
Heres the Cisco docs on it.

Another quick note is that we dont enable port security on trunk ports. Now that we have that covered, lets move on.
DHCP Snooping
We are next going to enable DHCP snooping(DS). DS will prevent our rogue DHCP servers. It only allows DHCP servers to respond on interfaces marked
as trusted. Everything past this point builds off of DHCP snooping, so its quite a critical step. How DS works is to monitor DHCP requests coming from a
port and to record the responses into a table on the switch called theget ready for it, deep breathDHCP snooping binding table(DSBT). I know what you
are thinkingWe dont have everything set for DHCP, like some printers and machines. To this I say, almost anything can be set for DHCP. If you use
dynamic DNS like Microsoft Active Directory(AD), you can simply reference the DNS name of the device. Or, if you setup reservation in your DHCP server
for these devices, they will technically make the DHCP request, but they will pull the same IP every time.
DS is configured globally on a VLAN and not locally per interface.
1 ip dhcp snooping vlan 10 !set your VLANs that should be snooped

2 ip dhcp snooping database tftp://10.1.1.1/the-file !this will offload your DSBT to an TFTP server - We generally use Mikrotik's TFTP server
3 ip dhcp snooping database write-delay 60 !setup a write delay if an entry changes in the DSBT
4 ip dhcp snooping verify mac-address !ensures that the MAC learned on the port matches that in the DHCP request
5 ip dhcp snooping !enable DS on the switch
In the above example you see that I upload the DSBT to an TFTP server. I do this so that when a switch looses power it will repopulate its DSBT. This
doesnt seem like that big a deal because windows hosts and Mac hosts will pull DHCP when an interfaces loses connectivity, so they will be ok. A lot of
Linux hosts, however, wont reDHCP when their interfaces lose connectivity.
By default, when you turn on DS all ports are considered untrusted. You will need to mark the to specify trusted interface. A trusted interface is an interface
where the DHCP server should be coming from. If you are on an edge switch and you dont physically have the DHCP server plugged into it, you will need to
set the trunk ports as trusted ports!
1 interface GigabitEthernet0/1
6/17
11/20/2014
2
3
4
5
switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10
switchport mode trunk
ip dhcp snooping trust !set this trunk port as a trusted port
You can also set a packet per second rate limit per port.
2 ip dhcp snooping limit rate 50 !50 PPS
Heres what Cisco says about DS.

Dynamic ARP inspection
Now we will turn on some dynamic ARP inspection(DAI). So, what does our friend DAI do? He inspects every ARP packet that flows on untrusted ports
and makes sure they conform to the DHCP snooping binding table. So this kills the man in the middle attacks that leverage false gratuitous ARPs.
DIA configures globally also:
1 ip arp inspection vlan 10 !specify which VLANs to scan
2 ip arp inspection validate src-mac ip !checks for bad IPs and ensures that it is sourced from interface MAC
3 ip arp inspection log-buffer entries 1024 !by default 32 entries max will be held non violates
4 ip arp inspection log-buffer logs 1024 interval 10 !by default will only hold them for 5 seconds, this ups to 10
We also have to mark which ports are trusted ports. These are ports we dont inspect on. Your trunk ports will always need to be trustedunless you want
to black hole your traffic?
1 interface GigabitEthernet0/1
2 switchport trunk encapsulation dot1q
3 switchport trunk allowed vlan 10
4 switchport mode trunk
5 ip arp inspection trust !marked as trusted
Also, by default he does an ARP packet per second limiting. The default is 15 PPS, I generally up this to 50.
2 ip arp inspection limit rate 50
When the PPS rate limit is violated, the switch port will err disable. I recommend doing error recovery for this reason:
1 errdisable recovery cause arp-inspection !enables recovery for arp-inspection PPS events
2 errdisable recovery interval 14400 ! this value is in seconds. I have this set to 4 hours
7/17
11/20/2014
Ciscos docs can be found here on DAI.

So this will protect you from attacks on L2, but it wont provide any authentication. If you want to do some L2 authentication, you need to check out 802.1X.
Is 802.1X a replacement for L2 security, NO! Just because someone can authenticate doesnt mean they dont have a virus on their machine that will attack
your network in some waytrust no one
If you enjoyed this article and wouldnt mind seeing more, drop me a line and tell me about it.
Filed under Cisco, Mikrotik, Networking, Security

10 Comments
leave a comment
1. Ronald / Dec 30 2009
Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship
2. Greg / Dec 30 2009
Ronald :
Nice article! Im going to think about an implementation of this on a new network Im doing as part of my internship
Ronald,
Thanks. Definitely give it a swing. I know it gives me that warm and cozy feeling knowing I have my users on lock downhehe.
3. Kenneth / Mar 23 2010
8/17
11/20/2014
This is very Pro. easy to understand.

4. Greg / Mar 23 2010
Kenneth :
This is very Pro. easy to understand.
Thanks Ken. Im glad it helped
5. Vdelarenal / Mar 25 2010
Hi, can you recommend me a cisco switch for doing this on a 300 users network?
Thanks.
6. Greg / Mar 26 2010
Vdelarenal :
Hi, can you recommend me a cisco switch for doing this on a 300 users network?
Thanks.
Why not the 6509? This way you have a single chassis to manage.
You could always stack a bunch of 3550s if you want to save money.
3750s are the cheapest stackable Cisco, but it would be cheaper to put in a single 6509.
7. sunny / Apr 26 2010
9/17
11/20/2014
Very nice article, i need to implement all these feature in my LAN (psecure, dhcp snooping and DAI) this has helped me lottt. but missing some thing
like dhcp snooing information options, which i may need since i have a firewalled network where my dhcp server is in another interface from the local
user interface. but still greatKen. thanks..
8. Greg / Apr 26 2010
Ken,
I have DHCP snooping in there
9. Benny / May 7 2010
Quite useful and clear! Thanks!

10. RobertM / Feb 21 2011
re: I have no idea how to do it with anything else.

Look for software called dhcpdrop. It sends out discover packets, ignores the legitimate server and then eats all the addresses from the rogue. Email me
if you want an english version of the man page.
Leave a Comment
Name (required)
Email (required, will not be published)
Website
10/17
11/20/2014
Comment
Comments Feed
CAPTCHA Code *
Subscribe to comments on this post
Submit Comment
Archives
November 2014
September 2014
August 2014
July 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
September 2013
11/17
11/20/2014
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
12/17
11/20/2014
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
Categories
Access Control
Arduino
Asterisk
Asterixk
Autoit
Cabling
Cacti
Cacti Tutorials
Cacti Video Tutorial
CallManager
Chromecast
Cisco
Cisco ASA
Class Video
13/17
11/20/2014
Dude
Fun
Hardware
Hotspot
Linux
Mikrotik
Mikrotik Tutorials
Mikrotik Video Tutorial
My Thumb Drive
MySQL
Networking
PLC
Pop Quiz
Programming/Scripting
SCADA
Script
Security
Server
Template
TheBrothersWISP
Thoughts
Training/Classes
Ubiquiti
Uncategorized
Vmware
VOIP
Windows
Wireless
Pages
Consulting/About Me
Contact Me
14/17
11/20/2014
Blogroll
Andrew's Blog
JJ's Blog
Justin Miller's Blog
Justin Wilson's Blog
Packet Life
Cacti Links
Cacti.net
Cactiusers
Cactiusers blog
Contact Me
Contact Me
Ads
Links
Andrew's Blog
Cacti.net
Cactiusers
Cactiusers blog
Contact Me
15/17
11/20/2014
Categories
Access Control
Arduino
Asterisk
Asterixk
Autoit
Cabling
Cacti
Cacti Tutorials
Cacti Video Tutorial
CallManager
Chromecast
Cisco
Cisco ASA
Class Video
Dude
Fun
Hardware
Hotspot
Linux
Mikrotik
Mikrotik Tutorials
Mikrotik Video Tutorial
My Thumb Drive
MySQL
Networking
PLC
Pop Quiz
Programming/Scripting
SCADA
Script
Security
Server
Template
TheBrothersWISP
16/17
11/20/2014
Thoughts
Training/Classes
Ubiquiti
Uncategorized
Vmware
VOIP
Windows
Wireless
Pages
Consulting/About Me
Contact Me
Archives
November 2014
September 2014
August 2014
July 2014
May 2014
Search
Type and press enter
Copyright 2014 Your Name Here. All rights reserved.

Paperpunch Theme by The Theme Foundry
17/17

Layer 2 Security - Protect You and Your Users From Attack

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Layer 2 Security - Protect You and Your Users From Attack

Hochgeladen von

Copyright:

Verfügbare Formate

11/20/2014

Layer 2 Security Protect You and Your Users From Attack

Man in the middle attack

I've taken all the DHCP IPs...now you can't pull an IP

Heres the Cisco docs on it.

1 ip dhcp snooping vlan 10 !set your VLANs that should be snooped

switchport trunk encapsulation dot1q

Heres what Cisco says about DS.

Ciscos docs can be found here on DAI.

Filed under Cisco, Mikrotik, Networking, Security

This is very Pro. easy to understand.

Quite useful and clear! Thanks!

re: I have no idea how to do it with anything else.

Copyright 2014 Your Name Here. All rights reserved.

Das könnte Ihnen auch gefallen