1 / 34

Ethernet: Layer 2 Security

Ethernet: Layer 2 Security. Eric Vyncke Cisco Systems Distinguished Engineer Evyncke@cisco.com. Application. Application. Presentation. Presentation. Session. Session. Transport. Transport. Network. Network. Initial Compromise. Data Link. Data Link. Physical. Physical.

edwardvwilson
Download Presentation

Ethernet: Layer 2 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer Evyncke@cisco.com

  2. Application Application Presentation Presentation Session Session Transport Transport Network Network Initial Compromise Data Link Data Link Physical Physical The Domino Effect • Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem • Security is only as strong as your weakest link • When it comes to networking, layer 2 can be a VERY weak link Application Stream Compromised Protocols/Ports IP Addresses MAC Addresses Physical Links

  3. MAC Attacks

  4. CAM Overflow 1/2 MAC port A 1 B 2 C 3 MAC port X 3 B 2 C 3 MAC port X 3 Y 3 C 3 MAC B Port 2 Port 1 X->? MAC A Port 3 X is on port 3 Y->? Y is on port 3 MAC C

  5. A->B A->B CAM Overflow 2/2 MAC port X 3 Y 3 C 3 MAC B A->B Port 2 I see traffic to B ! Port 1 MAC A Port 3 B unknown… flood the frame MAC C

  6. MAC Flooding Attack Mitigation • Port Security • Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port • Upon detection of an invalid MAC block only the offending MAC or just shut down the port • Smart CAM table • Never overwrite existing entries • Only time-out inactive entries • Active hosts will never be overwritten • Speak first • Deviation from learning bridge: never flood • Requires a hosts to send traffic first before receiving

  7. ARP Attacks

  8. C->A, ARP, b=C C->B, IP, a->b A->C, IP, a->b C->A, ARP, b=C A->C, IP, a->b C->B, IP, a->b ARP Spoofing • C is sending faked gratuitous ARP reply to A • C sees traffic from IP a to IP b IP a MAC A IP b MAC B IP c MAC C

  9. Mitigating ARP Spoofing • ARP spoofing works only within one VLAN • static ARP table on critical stations (but dynamic ARP override static ARP on most hosts!) • ARP ACL: checking ARP packets within a VLAN • Either by static definition • Or by snooping DHCP for dynamic leases • No direct communication among a VLAN: private VLAN • Spoofed ARP packet cannot reach other hosts

  10. ARP Spoof Mitigation: Private VLANs PromiscuousPort PromiscuousPort Primary VLAN Isolated VLAN x x IsolatedPorts

  11. VLAN “Hopping” Attacks

  12. Trunk Port Refresher Trunk Port • Trunk ports have access to all VLANs by default • Used to route traffic for multiple VLANs across the same physical link (generally used between switches)

  13. Basic VLAN Hopping Attack Trunk Port Trunk Port • A station can spoof as a switch with 802.1Q signaling • The station is then member of all VLANs • Requires a trunking favorable setting on the port (the SANS paper is three years old) • http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

  14. Double Encapsulated 802.1Q VLAN Hopping Attack Strip off First, and Send Back out 802.1q, 802.1q Attacker 802.1q, Frame Frame • Send double encapsulated 802.1Q frames • Switch performs only one level of decapsulation • Unidirectional traffic only • Works even if trunk ports are set to off Note: Only Works if Trunk Has the Same Native VLAN as the Attacker Victim

  15. Mitigation • Use recent switches • Disable auto-trunking • Never put host in the trunk native VLAN • Put unused ports in an unused VLAN

  16. Spanning Tree Attacks

  17. B Root A Spanning Tree Basics F F A Switch Is Elected as Root F F A ‘Tree-Like’ Loop-Free Topology Is Established Loop-Free Connectivity F F B F X

  18. STP STP Spanning Tree Attack Example 1/2 Access Switches Root • Send BPDU messages from attacker to force spanning tree recalculations • Impact likely to be DoS • Send BPDU messages to become root bridge F F F F X F B Attacker

  19. Spanning Tree Attack Example 2/2 Access Switches Root • Send BPDU messages from attacker to force spanning tree recalculations • Impact likely to be DoS • Send BPDU messages to become root bridge • The hacker then sees frames he shouldn’t • MITM, DoS, etc. all possible • Any attack is very sensitive to the original topology, trunking, PVST, etc. • Requires attacker to be dual homed to two different switches F F B X F F F F B Root Attacker

  20. STP Attack Mitigation • Disable STP(It is not needed in loop free topologies) • BPDU Guard • Disables ports upon detection of a BPDU message on the port • Root Guard • Disables ports who would become the root bridge due to their BPDU advertisement

  21. Other Attacks

  22. DHCP Rogue Server Attack • Simply the installation of an unknown DHCP Server in the local subnet • Other attack: exhaustion of DHCP pools • RFC 3118 “Authentication for DHCP Messages” will help, but has yet to be implemented • Mitigation: • Consider using multiple DHCP servers for the different security zones of your network • Use intra VLAN ACL to block DHCP traffic from unknown server

  23. ProActive Defense

  24. Wire-Speed Access Control Lists • Many current switches offer wire-speed ACLs to control traffic flows (with or without a router port) • Allows implementation of edge filtering that might otherwise not be deployed due to performance concerns • VLAN ACLs and Router ACLs are typically the two implementation methods

  25. Network Intrusion Detection System • Network IDS are now able to • Understand trunking protocols • Fast enough to handle 1 Gbps • Including management of alerts ! • Understand layer 2 attacks

  26. 802.1x • 802.1x is an IEEE Standard for Port Based Network Access Control • EAP based • Improved user authentication: username and password • Can work on plain 802.3 or 802.11

  27. IEEE 802.1X Terminology Semi-Public Network / Enterprise Edge Enterprise Network RADIUS Encrypted RADIUS EAP Over LAN (EAPOL) AuthenticationServer EAP Over Wireless (EAPOW) Authenticator (e.g. Switch, Access Point) Supplicant

  28. What Does it Do? • Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. • The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. • Three forms of EAP are specified in the standard • EAP-MD5 – MD5 Hashed Username/Password • EAP-OTP – One-Time Passwords • EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) - Preferred Method Of Authentication 802.1x Header EAP Payload

  29. Switch Applies Policies and Enables Port Login Request Credentials Login Good! Apply Policies Check with Policy DB Example Solution “A”—Access Control and User Policy Enforcement • Set port VLAN to 5 User Has Access to Network, with Applicable VLAN This Is John Doe! He Goes into VLAN 5

  30. Set port VLAN to 100 - DMZ • Set port QoS Tagging to 7 • Set QoS rate limit for 2Mbps Switch applies policies and enables port. Login Request Login Request Login Request Example Solution “B” – Access For Guest Users Authentication timeout. Retries expired. Client is not 802.1x capable. Put them in the quarantine zone! User has access to DMZ or “Quarantine” network.

  31. Summary

  32. Layer 2 Security Best Practices 1/2 • Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.) • Always use a dedicated VLAN ID for all trunk ports • Be paranoid: do not use VLAN 1 for anything • Set all user ports to non trunking • Deploy port-security where possible for user ports • Selectively use SNMP and treat community strings like root passwords • Have a plan for the ARP security issues in your network

  33. Layer 2 Security Best Practices 2/2 • Enable STP attack mitigation (BPDU Guard, Root Guard) • Use private VLANs where appropriate to further divide L2 networks • Disable all unused ports and put them in an unused VLAN • Consider 802.1X for middle term All of the Preceding Features Are Dependant on Your Own Security Policy

  34. Final Word • Switches were not designed for security • Now, switches are designed with security in mind • In most cases, with good configuration, they can even enhance your network security

More Related