Sie sind auf Seite 1von 25

CCNA Security - IINS

Securing Layer 2
Network Device Reconnaissance
»  Attacker has to be directly connected to one of the
victim’s interfaces (network device)
»  Network device is being identified via CDP and/or
LLDP
»  In order to mitigate such attacks
•  Disable CDP and LLDP on untrusted interfaces
•  no cdp enable
•  no lldp transmit
•  If all interfaces are untrusted, globally disable CDP and LLDP
•  no cdp run
•  no lldp run
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Lateral Movement Attacks
»  Within a VLAN there are several hosts/ endpoints
»  The attacker infects one endpoint and starts attacking
all hosts within same VLAN
•  Default-gateway may be a firewall restricting access to other
segments of the network
»  In order to mitigate such attacks
•  Restrict endpoint intra-VLAN access via PACL, VACL or by
authorization received from RADIUS server
•  Restrict endpoint intra-VLAN access via Private Vlans (PVLAN)
•  Or the variation of it, named Private VLAN Edge
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLAN Edge
»  PVLAN Edge
•  Blocks all traffic between configured ports of a switch (all or
nothing model)
•  Does not function across switches
»  PVLAN Edge Configuration
•  Configure switch ports as protected: switchport protected
•  All traffic between protected ports is being blocked
•  All traffic between protected and non-protected ports (default state)
is allowed
»  PVLAN Edge Verification
•  show interfaces <interface_nr> switchport
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs Overview
» Allows for layer 2 isolation between ports within
the same VLAN
•  Expansion of PVLAN Edge (protected port) feature
•  Allows isolation across multiple switches
•  Allows for additional granular control within the same VLAN
» Uses “sub-VLANs” within the primary VLAN for the
layer 2 isolation
•  Main VLAN is known as “Primary” VLAN
•  Sub-VLAN is known as “Secondary” VLAN
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs VLAN and Port Types
»  Secondary VLANs have to be associated with the
primary VLAN
•  Otherwise they are useless
•  A single isolated VLAN can be associated with a primary VLAN
•  Multiple community VLANs can be associated with a primary VLAN
»  There are two types of Secondary VLANs
•  Community
•  Isolated
»  Two types of switch ports
•  Promiscuous ports (hosts attached to the primary VLAN)
•  Host ports (hosts attached to the secondary VLANs)
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Private VLANs Traffic Filtering
» No ports should be configured as access into
primary VLAN
•  Primary VLAN is dedicated to promiscuous ports
» Isolated VLAN members
•  Can only communicate with hosts attached to promiscuous
ports
» Community VLAN members
•  Can communicate with members of the same community
VLAN
•  Can communicate with hosts attached to promiscuous ports
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
VLAN Hopping Attack
» Attacking host attached to Ethernet network sends
802.1Q / ISL tagged frames into switched network
in order to hop over VLAN barriers
» Two variations
•  Host runs Dynamic Trunking Protocol (DTP) to actually
form a trunk link with the adjacent switch
•  Host sends frames double tagged with 802.1q headers
•  Outside header is padding
•  Inside header is tagged with destination VLAN of victim
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
VLAN Hopping Mitigation
» Host facing interfaces should not be dynamic ports
•  switchport mode acces
» Static access ports have DTP disabled by default,
otherwise you can do it manually
•  switchport nonegotiate
» Don’t use VLAN 1 ever
•  Unused ports should be assigned to unused VLAN which is
not VLAN 1
•  Native VLAN should be changed to unused VLAN which is
not VLAN 1
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
CAM Table Attacks
» Switch’s Content Addressable Memory (CAM)
table associates destination MAC address with
outgoing interface
» If CAM table is full all unknown entries are treated
like broadcast traffic
•  Forward out all ports in all VLANs except the port it was
received on
» Attacker floods frames with random source MAC
addresses until CAM table fills up
» Switch essentially turns into a hub
» Another common attack is MAC spoofing
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
CAM Attack Mitigation
» Layer 2 switching table
•  Associates destination MAC address with outgoing port
•  Can be used to “null route” a MAC address
•  Configure the switch to silently drop all packets with a specific
source MAC address

» Null route a MAC address


•  mac address-table static <mac_address>
vlan <vlan_nr> drop
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
CAM Attack Mitigation
» Port Security
•  Limit the number of MAC addresses that can be seen
on a port
•  Optionally, the limit can be per domain (data / voice)
•  Limit the specific MAC address allowed on a port
•  By default the switch dynamically learns MAC addresses
•  Allowed MAC addresses can be statically defined
•  Dynamically learned MAC addresses can become static via
sticky configuration
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Port Security Violation Options
» Violation occurs when configured maximum
number of MAC addresses has been exceeded
» Violation modes
•  Protect
•  Drop traffic of the violating MAC address
•  Restrict
•  Drop traffic of the violating MAC address
•  Generate SNMP / Syslog messages
•  Shutdown (default)
•  Put port into err-disable state (logical shutdown)
•  Generate SNMP / Syslog messages
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Port Security Err-Disable Recovery
» If the port entered err-disable state
•  It can be manually recovered via shutdown / no
shutdown
•  It can be automatically recovered via err-disable
recovery feature
•  Disabled by default

The image cannot be


displayed. Your
Copyright © www.ine.com computer may not
DHCP Starvation Attack
» DHCP server has finite IP address scope
•  Attacker sends flood of DHCP requests with spoofed source
MAC addresses
•  DHCP server leases one IP address per MAC address until
pool is depleted
•  Victim hosts are “starved” of a DHCP lease
» Spoofed DHCP server on the segment
•  Offers rogue IP addresses to clients
•  Results in MiTM attacks
•  Possibly that clients become isolated
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
DHCP Starvation Variation
»  Port security can be used to limit number of MAC
addresses on an interface
•  Attacker can’t generate DHCP requests with lots of
source MAC addresses
•  Most DHCP implementation don’t use client source
MAC address but instead use “DHCP Client-identifier”
inside DHCP request payload to lease addresses
»  Attacker can keep source MAC address in Ethernet
frame the same but change DHCP client-identifier
across packets
•  Port security sees only one source MAC address, same
starvation attack result
16
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
DHCP Starvation Mitigation
» DHCP Snooping
•  Performed by a layer 2 switch
•  Listens/intercepts DHCP traffic between client and server
•  Builds IP to MAC mapping on a per interface basis
•  Port connected to DHCP server is in snooping “trust” state
•  DHCP server replies denied in all other ports
» Additional DHCP requests are dropped on
interfaces that already have IP to MAC binding in
the snooping table
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
DHCP Starvation Mitigation
» If switches don’t support snooping…
•  DHCP request uses UDP port 67
•  DHCP reply users UDP 68
•  Filter DHCP replies from all sources except DHCP
server
» Can use PACLs (port ACLs) but VACLs (VLAN
ACLs) would be more efficient
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
ARP Spoofing Attacks
» ARP is normally request / reply protocol
•  What is 1.2.3.4’s MAC address?
•  I’m 1.2.3.4, my MAC address is…
» Gratuitous is an unsolicited ARP reply
•  Legitimate use is to refresh neighbors’ ARP cache
•  Illegitimate use is to spoof someone else’s MAC
address
•  Can be used to facilitate MiM attack
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
ARP Spoofing Mitigation
» Dynamic ARP Inspection
•  Performed by a layer 2 switch
•  Listens/intercepts all ARP traffic
•  Relies on the DHCP Snooping table to be built upfront
•  DHCP snooping builds IP to MAC binding table
•  ARP requests and replies are intercepted by switch, and
the IP to MAC binding from ARP payload is matched
against DHCP Snooping table
•  If ARP payload content does not match DHCP Snooping table,
ARP packets are silently dropped
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
STP Attacks
» Attacker connects unauthorized switch to the
network
•  Can result in confidentiality loss due to switching
functionality
•  Can result in STP root-bridge being changed, which
affects layer 2 traffic pattern in the network and cause
bottlenecks

The image cannot be


displayed. Your
Copyright © www.ine.com computer may not
STP Attack Mitigation
» PortFast
•  Transitions a layer 2 port directly to STP forwarding
state upon link coming up
•  Can be globally enabled, or per port (same behavior)
•  If BPDU is received on the port, it looses portfast state
•  Not really a security feature, but is required for other
features

The image cannot be


displayed. Your
Copyright © www.ine.com computer may not
STP Attack Mitigation
» BPDU Guard
•  Transitions the layer 2 port into err-disabled state upon
receiving a BPDU inbound on the port
•  Manual recovery via shutdown/no shutdown
•  Automatic recovery via err-disable feature configuration
(disabled by default)
•  Can be globally enabled, or per port (same behavior)
•  If enabled globally, it gets activated only on ports where
PortFast is active
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
STP Attack Mitigation
» Root Guard
•  Transitions a layer 2 port directly to STP root-inconsistent
state upon receiving a superior BPDU
•  It is a per-VLAN feature, if running per-VLAN STP/RSTP
•  A port can be forwarding for VLAN 10 and be in root-inconsistent
state for VLAN 20
•  The port self-recovers as soon as the superior BPDU is no longer
received
•  Superior BPDU is a BPDU with a better priority than the one
of the elected, current root bridge priority
•  Better priority actually means lower bridge-priority and lower MAC-
address values
The image cannot be
displayed. Your
Copyright © www.ine.com computer may not
Q&A

Copyright © www.ine.com All rights reserved.

Das könnte Ihnen auch gefallen