Sie sind auf Seite 1von 21

Endpoint Security

Which should be protected?

Securing the edge device because of its WAN connection?

Securing the internal LAN?

Both - Securing the internal LAN is just as important as securing the perimeter of
a network.

The high-profile threats most often discussed in the media are external
threats, such as Internet worms and DoS attacks. However, securing an
internal LAN is just as important as securing the perimeter of a network.
Without a secure LAN, users within an organization are still susceptible to
network threats and outages that can directly affect an organizations
productivity and profit margin.

The LAN-to-perimeter security strategy is based on the idea that if users


are not practicing security in their desktop operations, no amount of
security precautions will guarantee a secure network. Many network
administrators develop their LAN-to-perimeter security strategy from the
perimeter of a network and work toward the LAN, as shown in the figure.
Other administrators develop their network security strategy at the LAN
and work toward the perimeter. Regardless of the approach, two specific
areas that are vital to secure are the endpoints and the network
infrastructure.

The LAN is made up of network endpoints. An endpoint, or host, is an


individual computer system or device that acts as a network client.
Common endpoints are laptops, desktops, tablets, smart phones, and IP
phones. Servers can also be considered endpoints.

The network infrastructure is the other area of focus for securing the LAN.
This includes securing the non-endpoint intermediary LAN devices such as

switches, wireless devices, IP telephony devices, and SAN devices.


Another aspect of securing the infrastructure is mitigating LAN attacks.
These attacks include MAC address spoofing attacks, STP manipulation
attacks, MAC address table overflow attacks, LAN storm attacks, and VLAN
attacks.

Internal LANs consists of:

Endpoint devices

Computers (laptops, desktops, servers)

Smart devices (tablets, smartphones, and IP phones

LAN infrastructure devices

Routers

Switches

Firewall devices

IPS devices

Wireless devices

IP Telephony devices

SAN devices

A network must also be able to mitigate specific LAN attacks including:

MAC address spoofing attacks

STP manipulation attacks

MAC address table overflow attacks

LAN storm attacks

VLAN attacks

Layer 2 Attacks

Layer 2 and Layer 3 switches are susceptible to many of the same Layer 3
attacks as routers; therefore, most of the security techniques for routers
also apply to switches.

However, switches also have their own unique network attacks including:

MAC address spoofing

MAC address table overflow

Spanning Tree Protocol Manipulation

LAN storms

VLAN attacks

MAC Address spoofing


the method used by switches to populate the MAC address table leads to a
vulnerability known as MAC spoofing.

Spoofing attacks occur when one host masquerades or poses as another


to receive otherwise inaccessible data or to circumvent security
configurations.

MAC address spoofing attacks occur when an attacker alters the MAC
address of their host to match another known MAC address of a target
host, as shown in Figure 1. The attacking host then sends a frame
throughout the network with the newly configured MAC address

When the switch receives the frame, it examines the source MAC address.
The switch overwrites the current MAC address table entry and assigns the
MAC address to the new port, as shown in Figure 2. It then inadvertently
forwards frames destined for the target host to the attacking host.

When the switch changes the MAC address table, the target host does not
receive any traffic until it sends traffic. When the target host sends traffic,
the switch receives and examines the frame, resulting in the MAC address
table being rewritten once more, realigning the MAC address to the
original port. To stop the switch from returning the spoofed MAC address
port assignments to their correct state, the attacking host can create a
program or script that will constantly send frames to the switch so that the
switch maintains the incorrect or spoofed information. There is no security
mechanism at layer 2 that allows a switch to verify the source of MAC
addresses, which is what makes it so vulnerable to spoofing or
masquerading.

MAC Address Table Overflow


MAC address tables are limited in size and MAC flooding takes advantage of this
limitation by bombarding the switch with fake source MAC addresses until the
switch MAC address table is full.

If enough entries are entered into the MAC address table before
older entries expire, the table fills up to the point that no new
entries can be accepted.

When this occurs, the switch begins to flood all incoming traffic to
all ports because there is no room in the table to learn any
legitimate MAC addresses.

As a result, the attacker can see all of the frames sent from one
host to another.

Traffic is flooded only within the local VLAN, so the intruder sees
only traffic within the local VLAN to which the intruder is connected.

The most common way of implementing a MAC address table overflow


attack is using the macof tool. This tool floods a switch with frames
containing randomly generated source and destination MAC and IP
addresses
MAC Address Table Overflow Example 2

Over a short period of time, the MAC address table fills up

When the MAC address table is full of invalid source MAC addresses, the
switch begins to flood all frames that it receives

As long as macof is left running, the table on the switch remains full, and
the switch continues to flood all received frames out of every port. This
allows the attacker to send packets to devices that would otherwise be
unreachable

Both MAC spoofing and MAC address table overflow attacks can be
mitigated by configuring port security on the switch. With port security,
the administrator can either statically specify the MAC addresses on a
particular switch port or allow the switch to dynamically learn a fixed
number of MAC addresses for a switch port. To statically specify the MAC
addresses is not a manageable solution for a production environment.
Allowing the switch to dynamically learn a fixed number of MAC addresses
is an administratively scalable solution.

Mitigating MAC Address Attacks

Both MAC spoofing and MAC address table overflow attacks can be
mitigated by configuring port security on the switch.

With port security, the administrator can either statically specify the MAC
addresses on a particular switch port or allow the switch to dynamically
learn a fixed number of MAC addresses for a switch port.
STP Manipulation

Network attackers can manipulate STP to conduct an attack by making


their host appear as the root bridge and, therefore, capturing all traffic for
the immediate switched domain.

This attack can be used to defeat all three of the security objectives:
confidentiality, integrity, and availability.
Spanning Tree Protocol Manipulation
STP Manipulation Example 1

The attacking host broadcasts STP configuration and topology change


BPDUs to force spanning-tree recalculations.

The BPDUs sent by the attacking host announce a lower bridge priority in
an attempt to be elected as the root bridge.
STP Manipulation Example 2

If successful, the attacking host becomes the root bridge and sees a
variety of frames that otherwise are inaccessible.

The BPDUs sent by the attacking host announce a lower bridge priority in
an attempt to be elected as the root bridge. If successful, as shown in
Figure 2, the attacking host becomes the root bridge and sees a variety of
frames that otherwise are not accessible.

This attack can be used to defeat all three of the security objectives:
confidentiality, integrity, and availability. Mitigation techniques for STP
manipulation include enabling PortFast, as well as root guard and BPDU
guard.
Mitigating STP Manipulation Attacks
Mitigation techniques for STP manipulation include enabling:

PortFast

Root guard

BPDU guard

LAN Storm Attacks


LAN Storm

A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance.

Causes include:

Errors in the protocol stack implementation

Mistakes in network configurations

Users issuing a DoS attack

LAN Storm Attacks


LAN Storm Example

Remember that switches always forward broadcasts out all ports.

During an attack, broadcast, multicast, and unicast frames are flooded on


all ports in the same VLAN.

LAN storms often increase CPU utilization on a switch to 100 percent,


causing a denial of service to users communicating through the switch.
LAN Storm Attacks
Mitigating LAN Storms

It is possible to suppress excessive broadcast, multicast, and unicast


frames using storm control.

Storm control prevents traffic on a LAN from being disrupted by a


broadcast, multicast, or unicast storm on one of the physical interfaces.
VLAN Attacks
VLAN Attacks

There are a number of different types of VLAN attacks that are prevalent in
modern switched networks.

It is important to understand the general methodology behind these


attacks and the primary approaches to mitigate them.

Common VLAN attacks include:

VLAN hopping attack

Double-Tagging VLAN attack

A VLAN hopping attack can be launched in one of two ways:

Spoofing DTP messages from the attacking host causes the switch
to enter trunking mode

Introducing a rogue switch and enabling trunking

The end result is that it enables the attacker to potentially access all
VLANs on the network.
VLAN Attacks
VLAN Hopping Attacks Example

The attacker takes advantage of the default automatic trunking


configuration on most switches and configures a system to spoof itself as

a switch.
The switch creates a trunk link with the host enabling the attacker to gain
access to all the VLANs on the trunk port, and the attacker can now send
and receive traffic on all the VLANs.

VLAN Attacks
Mitigating VLAN Hopping Attacks

The best way to prevent a basic VLAN hopping attack is to turn off
trunking on all ports, except the ones that specifically require trunking.

On the required trunking ports, disable DTP (auto trunking) negotiations


and manually enable trunking.

VLAN Attacks
Double-Tagging VLAN Attack

Also called double-encapsulated VLAN hopping attack

This attack takes advantage of the way that most perform only one level
of 802.1Q decapsulation which allow an attacker in specific situations to
embed a hidden 802.1Q tag inside the frame.

This tag allows the frame to go to a VLAN that the original 802.1Q tag did
not specify.
VLAN Attacks
Double-Tagging VLAN Attack Example 1

In Figure 1, the attacker sends a double-tagged 802.1Q frame to the


switch. The outer header has the VLAN tag of the attacker, which is the
same as the native VLAN of the trunk port. For the purposes of this
example, assume that this is VLAN 10. The inner tag is the victim VLAN, in
this example, VLAN 20.

In Figure 2, the frame arrives on the first switch, which looks at the first 4byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10,
which is the native VLAN. The switch forwards the packet out on all VLAN
10 ports after stripping the VLAN 10 tag. On the trunk port the VLAN 10
tag is stripped, and the packet is not retagged since it is part of the Native
VLAN. At this point, the VLAN 20 tag is still intact and has not been
inspected by the first switch.
VLAN Attacks
Double-Tagging VLAN Attack Example 3

VLAN Attacks
Mitigating Double-Tagging VLAN Attacks

Ensure that the native VLAN of the trunk ports is different from the VLAN
of the user ports.

Security best practice recommend to use a dummy VLAN that is unused


throughout the switched LAN as the native VLAN for all 802.1Q trunks in a
switched LAN.

Configuring Layer 2 Security


Port Security
To prevent MAC spoofing and MAC table overflows, enable
port security.
Port security can be used to statically specify MAC
addresses for a port or to permit the switch to dynamically
learn a limited number of MAC addresses.
By limiting the number of permitted MAC addresses on a
port to one, port security can be used to control
unauthorized expansion of the network.
Port Security Example

Enabling port security thwarts Attacker 1 and


Attacker 2 MAC address spoofing attacks.

When MAC addresses are assigned to a secure port,


the port does not forward frames with source MAC
addresses outside the group of defined addresses.
When a port configured with port security receives
a frame, the source MAC address of the frame is
compared to the list of secure source addresses
that were manually configured or autoconfigured
(learned) on the port. If a MAC address of a device
attached to the port differs from the list of secure
addresses, the port either shuts down until it is
administratively enabled, or default mode, or drops
incoming frames from the insecure host, or restrict
option. The behavior of the port depends on how it
is configured to respond to a security violator. The
table in Figure 2 differentiates between the three
violation modes.

It is recommended that an administrator configure


the port security feature to issue a shutdown rather
than dropping frames from insecure hosts with the
restrict option. The restrict option might fail under
the load of an attack.
Configuring Port Security
When MAC addresses are assigned to a secure port,
the port does not forward frames with source MAC
addresses outside the group of defined addresses.
To configure port security on an access port, follow
these steps (see Figure 1):
Step 1. Configure an interface as an access
interface.
Switch(config-if)# switchport mode access
The port must be in access mode otherwise if it is in
the default mode (dynamic auto), it will not be
configured as a secure port.
Step 2. Enable port security on the interface using
the switchport port-security command.
Once enabled, other port security specifics can be
configured. The complete syntax of the switchport
port-security command includes a number of
optional parameters.
Switch(config-if)# switchport port-security [ macaddress mac-address [ vlan { vlan-id | { access |
voice }}] ] | [ mac-address sticky [ mac-address |
vlan { vlan-id | { access | voice }}]] [ maximum
value [ vlan { vlan-list | { access | voice }}]]
Note: Available configuration parameters are
dependent on the switch model and IOS version.
Step 3. (Optional) Set the maximum number of
secure MAC addresses for the interface.

Switch(config-if)# switchport port-security


maximum value
The range is 1 to 132. The default is 1.

After port security is enabled, it is necessary to


establish the violation rules for the access port.

Violation rules refer to the actions that the switch


takes if a security violation occurs. An interface can
be configured for one of three violation modes,
specifying the action to be taken if a violation
occurs. Figure 1 presents which kinds of data traffic
are forwarded when one of the following security
violation modes are configured on a port:
Protect - When the number of secure MAC
addresses reaches the limit allowed on the port,
packets with unknown source addresses are
dropped until a sufficient number of secure MAC
addresses are removed, or the number of maximum
allowable addresses is increased. There is no
notification that a security violation has occurred.
Restrict - When the number of secure MAC
addresses reaches the limit allowed on the port,
packets with unknown source addresses are
dropped until a sufficient number of secure MAC
addresses are removed, or the number of maximum
allowable addresses is increased. In this mode,
there is a notification that a security violation has
occurred.
Shutdown - In this (default) violation mode, a port
security violation causes the interface to
immediately become error-disabled and turns off
the port LED. It increments the violation counter.
When a secure port is in the error-disabled state, it
can be brought out of this state by entering the
shutdown and no shutdown interface configuration
mode commands.

Step 1. Set the violation mode. This is the action


that the switch takes when a security violation is
detected. If the violation mode is not specified, the
default is to shut down the port.

Switch(config-if)# switchport port-security violation


{ protect | restrict | shutdown | shutdown vlan }
When a secure port is in the error-disabled state,
this means that a violation has occurred and the
port is disabled. To re-enable the port, enter the
errdisable recovery cause psecure-violation global
configuration mode commands, or manually reenable it by entering the shutdown and no
shutdown interface configuration mode commands.

Port security aging can be used to set the aging


time for static and dynamic secure addresses on a
port. Two types of aging are supported per port:
Absolute - The secure addresses on the port are
deleted after the specified aging time.
Inactivity - The secure addresses on the port are
deleted only if they are inactive for the specified
aging time.
Use aging to remove secure MAC addresses on a
secure port without manually deleting the existing
secure MAC addresses. Aging time limits can also
be increased to ensure past secure MAC addresses
remain, even while new MAC addresses are added.
Keep in mind the maximum number of secure

addresses per port can be configured. Aging of


statically configured secure addresses can be
enabled or disabled on a per-port basis.
Use the switchport port-security aging {static |
time time| type {absolute | inactivity}} command
to enable or disable static aging for the secure port
or to set the aging time or type. The syntax for
configuring port security aging is also displayed in
Figure 1

Configuring Port Security


Port Security Example

S2(config-if)# switchport mode access

S2(config-if)# switchport port-security


S2(config-if)# switchport port-security maximum 2
S2(config-if)# switchport port-security violation
shutdown
S2(config-if)# switchport port-security mac-address
sticky
S2(config-if)# switchport port-security aging time
120
Verifying Port Security
show port-security Command
Use the show port-security command to view port
security settings for the switch, including violation
count, configured interfaces, and security violation
actions.
Page 48..

Das könnte Ihnen auch gefallen