Beruflich Dokumente
Kultur Dokumente
Securing Layer 2
Network Device Reconnaissance
» Attacker has to be directly connected to one of the
victim’s interfaces (network device)
» Network device is being identified via CDP and/or
LLDP
» In order to mitigate such attacks
• Disable CDP and LLDP on untrusted interfaces
• no cdp enable
• no lldp transmit
• If all interfaces are untrusted, globally disable CDP and LLDP
• no cdp run
• no lldp run
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Lateral Movement Attacks
» Within a VLAN there are several hosts/ endpoints
» The attacker infects one endpoint and starts attacking
all hosts within same VLAN
• Default-gateway may be a firewall restricting access to other
segments of the network
» In order to mitigate such attacks
• Restrict endpoint intra-VLAN access via PACL, VACL or by
authorization received from RADIUS server
• Restrict endpoint intra-VLAN access via Private Vlans (PVLAN)
• Or the variation of it, named Private VLAN Edge
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLAN Edge
» PVLAN Edge
• Blocks all traffic between configured ports of a switch (all or
nothing model)
• Does not function across switches
» PVLAN Edge Configuration
• Configure switch ports as protected: switchport protected
• All traffic between protected ports is being blocked
• All traffic between protected and non-protected ports (default state)
is allowed
» PVLAN Edge Verification
• show interfaces <interface_nr> switchport
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs Overview
» Allows for layer 2 isolation between ports within
the same VLAN
• Expansion of PVLAN Edge (protected port) feature
• Allows isolation across multiple switches
• Allows for additional granular control within the same VLAN
» Uses “sub-VLANs” within the primary VLAN for the
layer 2 isolation
• Main VLAN is known as “Primary” VLAN
• Sub-VLAN is known as “Secondary” VLAN
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs VLAN and Port Types
» Secondary VLANs have to be associated with the
primary VLAN
• Otherwise they are useless
• A single isolated VLAN can be associated with a primary VLAN
• Multiple community VLANs can be associated with a primary VLAN
» There are two types of Secondary VLANs
• Community
• Isolated
» Two types of switch ports
• Promiscuous ports (hosts attached to the primary VLAN)
• Host ports (hosts attached to the secondary VLANs)
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs Traffic Filtering
» No ports should be configured as access into
primary VLAN
• Primary VLAN is dedicated to promiscuous ports
» Isolated VLAN members
• Can only communicate with hosts attached to promiscuous
ports
» Community VLAN members
• Can communicate with members of the same community
VLAN
• Can communicate with hosts attached to promiscuous ports
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
VLAN Hopping Attack
» Attacking host attached to Ethernet network sends
802.1Q / ISL tagged frames into switched network
in order to hop over VLAN barriers
» Two variations
• Host runs Dynamic Trunking Protocol (DTP) to actually
form a trunk link with the adjacent switch
• Host sends frames double tagged with 802.1q headers
• Outside header is padding
• Inside header is tagged with destination VLAN of victim
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
VLAN Hopping Mitigation
» Host facing interfaces should not be dynamic ports
• switchport mode acces
» Static access ports have DTP disabled by default,
otherwise you can do it manually
• switchport nonegotiate
» Don’t use VLAN 1 ever
• Unused ports should be assigned to unused VLAN which is
not VLAN 1
• Native VLAN should be changed to unused VLAN which is
not VLAN 1
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
CAM Table Attacks
» Switch’s Content Addressable Memory (CAM)
table associates destination MAC address with
outgoing interface
» If CAM table is full all unknown entries are treated
like broadcast traffic
• Forward out all ports in all VLANs except the port it was
received on
» Attacker floods frames with random source MAC
addresses until CAM table fills up
» Switch essentially turns into a hub
» Another common attack is MAC spoofing
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
CAM Attack Mitigation
» Layer 2 switching table
• Associates destination MAC address with outgoing port
• Can be used to “null route” a MAC address
• Configure the switch to silently drop all packets with a specific
source MAC address