Beruflich Dokumente
Kultur Dokumente
Ethernet Switches
sean@cisco.com
l2-security-bh.ppt
Agenda
Other Attacks
Caveats
OSI Was Built to Allow Different Layers to Work without Knowledge of Each Other
Host A
Application
Host B
Application Stream
Presentation
Presentation
Session
Session
Transport
Protocols/Ports
Transport
Network
IP Addresses
Network
Data Link
Physical
l2-security-bh.ppt
Application
MAC Addresses
Physical Links
Data Link
Physical
Presentation
Session
Transport
Network
Data Link
Session
Protocols/Ports
Transport
IP Addresses
Network
Initial
MACCompromise
Addresses
Physical
l2-security-bh.ppt
Application
Presentation
Compromised
Application
Physical Links
Data Link
Physical
Questions:
Questions:
Most NetOPS
NetOPS
There are L2
Security issues?
I use VLANs all
the time
Routing in and out
of the same switch
is OK by me! That
Thats
s
what VLANs are for
The security guy
asks me for a new
segment, I create a
VLAN and assign
him an address
space
Most SecOPS
SecOPS
I handle security
issues at L3 and
above
I have no idea if we
we
l2-security-bh.ppt
MAC Attacks
l2-security-bh.ppt
1234.5678.9ABC
First 24 bits = Manufacture Code
Assigned by IEEE
0000.0cXX.XXXX
XXXX.XX00.0001
All Fs = Broadcast
FFFF.FFFF.FFFF
CAM Table stands for Content Addressable Memory
The CAM Table stores information such as MAC addresses
available on physical ports with their associated VLAN
parameters
CAM Tables have a fixed size
l2-security-bh.ppt
MAC
A
Port
1
A->B
Port 2
Port 1
MAC B
I
See Traffic
to B !
->
Port 3
MAC A
>
A
B Unknown
Flood the Frame
MAC C
l2-security-bh.ppt
10
MAC
A
B
C
Port
1
2
3
B->A
MAC B
Port 3
A Is on Port 1
Learn:
B Is on Port 2
l2-security-bh.ppt
Port 2
Port 1
MAC A
->
MAC C
11
MAC
A
B
C
Port
1
2
3
A->B
MAC B
Port 2
Port 1
MAC A
->
Port 3
B Is on Port 2
I Do Not See
Traffic to B !
l2-security-bh.ppt
MAC C
12
l2-security-bh.ppt
13
MAC
A
X
B
Y
C
Port
1
3
2
3
3
Port 2
Port 1
MAC A
Port 3
X>?
Y->?
X Is on Port 3
Y Is on Port 3
l2-security-bh.ppt
MAC B
MAC C
14
MAC
X
Y
C
Port
3
3
3
A->B
Port 2
Port 1
MAC B
I
See Traffic
to B !
->
Port 3
MAC A
>
A
B Unknown
Flood the Frame
MAC C
l2-security-bh.ppt
15
16,000
Flooded!
If the value is the same there are 8 buckets to place CAM entries, if all 8 are
filled the packet is flooded
l2-security-bh.ppt
16
l2-security-bh.ppt
17
->
->
->
->
(broadcast)
(broadcast)
10.1.1.25
10.1.1.26
ARP C Who
ARP C Who
ICMP Echo
ICMP Echo
is 10.1.1.1, 10.1.1.1 ?
is 10.1.1.19, 10.1.1.19 ?
request (ID: 256 Sequence number: 7424) OOPS
reply (ID: 256 Sequence number: 7424) OOPS
18
Port Security
Capabilities are dependant on the platform
Allows you to specify MAC addresses for each port, or
to learn a certain number of MAC addresses per port
Upon detection of an invalid MAC the switch can be
configured to block only the offending MAC or just shut
down the port
Port security prevents macof from flooding the CAM
table
http://cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm
l2-security-bh.ppt
19
l2-security-bh.ppt
20
l2-security-bh.ppt
21
Trunk Port
22
CDP and VTP (two common Cisco control protocols) are passed
over VLAN 1 only. If VLAN 1 is cleared from a trunk, although no
user data is transmitted or received, the switch continues to pass
some control protocols on VLAN 1.
For this reason (and the fact that VLAN 1 can not be deleted) dont
use it if you dont need to.
l2-security-bh.ppt
23
l2-security-bh.ppt
24
What is DTP?
Automates ISL/802.1Q trunk
configuration
0100.0ccc.cccc
SNAP Proto
0x2004
l2-security-bh.ppt
Dynamic
Trunk
Protocol
25
Trunk Port
Trunk Port
A station can spoof as a switch with ISL or 802.1Q signaling (DTP
signaling is usually required as well, or a rogue DTP speaking switch)
The station is then member of all VLANs
Requires a trunking favorable setting on the port (the SANS paper is
two years old)
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
l2-security-bh.ppt
26
Attacker
80
2.
1q
,8
02
.1
q
Fram
e
Victim
27
l2-security-bh.ppt
28
Disabling Auto-Trunking
l2-security-bh.ppt
29
l2-security-bh.ppt
30
ARP Attacks
l2-security-bh.ppt
31
ARP Refresher
32
Gratuitous ARP
33
Host X
.3
Host W
.4
34
Host X
.3
Host W
.4
35
ARP spoofing
MAC flooding
Selective sniffing
SSH/SSL interception
Dug Song, Author of dsniff
www.monkey.org/~dugsong/dsniff
l2-security-bh.ppt
36
Arpspoof in Action
Type
dynamic
dynamic
37
More on Arpspoof
l2-security-bh.ppt
38
Selective Sniffing
Host: wwwin-abc.cisco.com
39
SSL/SSH Interception
from
from
from
from
10.1.1.25:
10.1.1.25:
10.1.1.25:
10.1.1.25:
bytes=32
bytes=32
bytes=32
bytes=32
time<10ms
time<10ms
time<10ms
time<10ms
TTL=249
TTL=249
TTL=249
TTL=249
40
SSL/SSH Interception
l2-security-bh.ppt
41
SSL/SSH Interception
Upon inspection
they will look
most users
l2-security-bh.ppt
invalid
42
43
l2-security-bh.ppt
44
Promiscuous
Port
Promiscuous
Port
Primary VLAN
Community VLAN
Community VLAN
Isolated VLAN
x x
x
Community
A
Community
B
Isolated
Ports
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519
l2-security-bh.ppt
45
Community Ports
46
Available on: Cat 6K with CatOS 5.4(1); Cat 4K with CatOS 6.2; (no
native IOS support); Cat6K IOS with12.1(11b)E and Cat4K IOS with
12.1(8a)EW; config can be a bit trickey (CatOS shown):
CatOS> (enable) set vlan vlan_num pvlan-type primary
CatOS> (enable) set vlan vlan_num pvlan-type {isolated |
community}
CatOS> (enable) set pvlan primary_vlan_num {isolated_vlan_num |
community_vlan_num} mod/port
CatOS> (enable) set pvlan mapping primary_vlan_num
{isolated_vlan_num | community_vlan_num} mod/ports
IOS(config-if)#port protected
Any port without this command entered is
promiscuous
l2-security-bh.ppt
47
Ports
48
l2-security-bh.ppt
49
l2-security-bh.ppt
50
A Tree-Like
Loop-Free Topology
Is Established from
the perspective of
F
the root bridge
F
F
Root
X
X
F
F
A Switch Is
Elected as Root
Root selection is
STP is very simple. Messages are sent using Bridge Protocol Data
Units (BPDUs). Basic messages include: configuration,
topology change notification/acknowledgment (TCN/TCA); most
have no payload
Avoiding loops ensures broadcast traffic does not become storms
51
l2-security-bh.ppt
improve this
52
Access Switches
Root
Root
F
F
ST
ST
Attacker
l2-security-bh.ppt
53
shouldnt
PVST, etc.
backbone to half-duplex 10 Mb
was verified
l2-security-bh.ppt
Access Switches
Root
F
F
B
F
B
Root
Attacker
54
Root
GE
F
B
l2-security-bh.ppt
FE
FE
F
B
Access
Switch
STP
GE backbone becomes FE L
Root
55
BPDU Guard
Disables ports using portfast upon detection of a BPDU message on the port
Globally enabled on all ports running portfast
Available in CatOS 5.4.1 for Cat 2K, 4K, 5K, and 6K; 12.0XE for native IOS 6K;
12.1(8a)EW for 4K Sup III; 12.1(4)EA1 for 3550; 12.1(6)EA2 for 2950
CatOS> (enable)set spantree portfast bpdu-guard enable
IOS(config)#spanning-tree portfast bpduguard
Root Guard
Disables ports who would become the root bridge due to their BPDU
advertisement
Configured on a per port basis
Available in CatOS 6.1.1 for Cat 29XX, 4K, 5K, and 6K; 12.0(7) XE for native IOS 6K,
12.1(8a)EW for 4K Sup III; 29/3500XL in 12.0(5)XU; 3550 in 12.1(4)EA1; 2950 in
12.1(6)EA2
CatOS> (enable) set spantree guard root 1/1
IOS(config)#spanning-tree guard root (or rootguard)
l2-security-bh.ppt
56
l2-security-bh.ppt
DST MAC
0100.0ccc.cccc
SNAP Proto
0x2003
57
58
l2-security-bh.ppt
59
Client only
Available in 3550 and 2950 in 12.1(4)EA1; 29/3500XL in 11.2(8)SA4
l2-security-bh.ppt
60
VMPS Architecture
VMPS
Server
VMPS
Client
TP
F
T
ry
e
Qu
VMPS
Database
ly
p
Re
61
VMPS/VQP Attacks
VQP Query
l2-security-bh.ppt
62
l2-security-bh.ppt
63
64
Request ID
Send ID/Password
Accept
Authentication Successful
Actual Authentication Conversation Is Between Client and Auth Server Using EAP;
EAP;
802.1x
l2-security-bh.ppt
RADIUS
65
Other Attacks
l2-security-bh.ppt
66
l2-security-bh.ppt
0100.0ccc.cccc
SNAP
Proto
0x2000
DST MAC
67
CDP Attacks
68
l2-security-bh.ppt
69
RFC 3118 Authentication for DHCP Messages will help, but has yet
to be implemented
Consider using multiple DHCP servers for the different security
zones of your network
DHCP Option 82 on the 3550 can help:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1219ea1/3550
scg/swdhcp82.htm
70
Attacker
PVLANs Work
Drop Packet
Mac:A IP:1
S:A
1D
:B2
Promiscuous Port
Isolated Port
X
Router
Victim
Mac:C IP:3
Mac:B IP:2
l2-security-bh.ppt
71
Attacker
Mac:A IP:1
Promiscuous Port
PVLANs Work
Forward Packet
Isolated Port
S:A
1D
: C2
Routers Route:
Forward Packet
S:A1
S:A1D:C2
D:B2
:B2
D
1
S:A
Router
Mac:C IP:3
Victim
Mac:B IP:2
Only allows unidirectional traffic (Victim will ARP for A and fail)
If both hosts were compromised, setting static ARP entries for each
other via the router will allow bi-directional traffic
Most firewalls will not forward the packet like a router
Note: this is not a PVLAN vulnerability as it enforced the rules!
l2-security-bh.ppt
72
l2-security-bh.ppt
73
Nice Try
M
-c
as
t
74
Nice Try
Fr
am
e
l2-security-bh.ppt
75
IP Telephony Considerations
Tcpdump Output
04:16:06.652765 802.1Q vid 987 pri 0 1:0:c:cc:cc:cd > 0:8:e3:cf:1a:dd sap aa ui/C len=39
04:16:07.095781 0:8:e3:cf:1a:dd > 1:0:c:cc:cc:cd sap aa ui/C len=39
76
Switch Management
77
l2-security-bh.ppt
78
l2-security-bh.ppt
79
l2-security-bh.ppt
80
Internet
Security Perimeter
Outside
Inside
81
Internal
Internet
Outside
l2-security-bh.ppt
Inside
82
Lessons Learned
83
Further Reading
SAFE Blueprints
http://www.cisco.com/go/safe
htm#xtocid854519
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1219ea1/3550scg/swdhcp
82.htm
l2-security-bh.ppt
84