Professional Documents
Culture Documents
Security2006 Eric Vyncke 2
Security2006 Eric Vyncke 2
Eric Vyncke
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1
Caveats
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Why Worry About Layer 2 Security?
OSI Was Built to Allow Different Layers to Work
Without the Knowledge of Each Other
Host A Host B
Application Stream
Application Application
Presentation Presentation
Session Session
Physical Links
Physical Physical
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Lower Levels Affect Higher Levels
Unfortunately this means if one layer is hacked, communications are compromised
without the other layers being aware of the problem
Security is only as strong as the weakest link
When it comes to networking, layer 2 can be a very weak link
Application Stream
Application Compromised Application
POP3, IMAP, IM,
Presentation SSL, SSH Presentation
Session Session
Physical Links
Physical Physical
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
NetOPS/SecOPS, Whose Problem Is It?
Questions: Most NetOPS Most SecOPS
What is the process • The security guy asks • I ask NetOPs for a
for allocating me for a new segment, segment, they give me
addresses for I create a VLAN and ports and addresses
segments? assign him an address
space
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
CAM Table Review
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Normal CAM Behavior 1/3
MAC Port
A 1
rB
C 3 Port 2
fo
MAC B
P
R
A
ARP for B
Port 1
MAC A Port 3
A
R
P
fo
B Is Unknown—
rB
Flood the Frame
MAC C
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Normal CAM Behavior 2/3
MAC Port
A 1
B 2
B
C
A
Port 2
M
C 3
MAC B
m
IA
I Am MAC B
Port 1
MAC A Port 3
A Is on Port 1
Learn:
B Is on Port 2
MAC C
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Normal CAM Behavior 3/3
MAC Port
A 1
B 2
B
Port 2
Æ
C 3
A
MAC B
fic
af
Tr
Traffic A Æ B
Port 1
MAC A Port 3
B Is on Port 2
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
CAM Overflow 2/2
MAC Port
A 1
Assume CAM Table Now Full
Y 3
Z
B 3
2
B
Æ
C 3 Port 2
A
Y Is on Port 3 MAC B
fic
af
Tr
Traffic A ÆB
Port 1
MAC A Port 3
IA
Im
TAr
Z Is on Port 3
am
Mf
fAiMc
CAA
YCÆ
Z
B
MAC C
I See Traffic to B!
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
CAM Table Full
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Countermeasures for MAC Attacks
Port Security Limits the Amount of MAC’s
on an Interface
00:0e:00:aa:aa:aa Only One MAC
00:0e:00:bb:bb:bb Addresses
Allowed on the
Port: Shutdown
132,000
Bogus MACs
Solution:
Port security limits MAC flooding
attack and locks down port and
sends an SNMP trap
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Building the Layers
Port Security
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17
DHCP: quick overview
DHCP Server
Client
DHCP Discover (Broadcast)
IP Address: 10.10.10.101
DHCP Offer (Unicast) Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4,
192.168.10.5
DHCP Request (Broadcast)
Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of
the DHCP addresses available in the DHCP scope
This is a Denial of Service DoS attack using DHCP leases
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 19
Countermeasures for DHCP Attacks
DHCP Starvation Attack = Port Security
Client
Gobbler DHCP
Server
Gobbler uses a new MAC address to request a new DHCP
lease
Restrict the number of MAC addresses on an port with port
security
Else use option 82 of DHCP
DHCP server can track which port has already got one IP
address
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 20
DHCP Attack Types
Rogue DHCP Server Attack
Client
Vlan 5 Vlan 165
Vlan 5
DHCP
Rogue Server Server
DHCP Discovery (Broadcast)
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 21
DHCP Attack Types
Rogue DHCP Server Attack
Untrusted Trusted
Untrusted
OK DHCP DHCP
Rogue Server Responses:
offer, ack, nak
Server
Untrusted Trusted
Untrusted
OK DHCP DHCP
Rogue Server Responses:
offer, ack, nak
Server
BAD DHCP
Responses:
offer, ack, nak
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 25
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 26
ARP Function Review
I Am
10.1.1.4
MAC A
Who Is
10.1.1.4?
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 27
ARP Function Review
ARP 10.1.1.1
Saying ARP 10.1.1.2
10.1.1.2 is MAC C Saying
10.1.1.1 is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 29
ARP Attack in Action
10.1.1.2 Is Now
All traffic flows 10.1.1.1 MAC C
through the attacker MAC A
Transmit/Receive
Traffic to Transmit/Receive
10.1.1.2 is MAC C Traffic to
10.1.1.1 is MAC C
10.1.1.3
MAC C 10.1.1.2
MAC B
10.1.1.1 Is Now
MAC C
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 30
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
Uses the DHCP Snooping
10.1.1.1 Binding table information
MAC A Dynamic ARP Inspection
IsNone
This Is My All ARP packets must match
ARP 10.1.1.1 NO!
Binding the IP/MAC Binding table
Matching DHCP Snooping
Saying Table? entries
ARP’s in the Enabled Dynamic If the entries do not match,
10.1.1.2 is MAC C
Bit Bucket ARP Inspection throw them in the bit bucket
Enabled
10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 is MAC C
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 31
Countermeasures to ARP Attacks:
Dynamic ARP Inspection
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 32
Building the Layers
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 33
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 34
Spoofing Attacks
MAC spoofing
If MACs are used for network access an attacker can gain
access to the network
Also can be used to take over someone’s identity already on the
network
IP spoofing
Ping of death
ICMP unreachable storm
SYN flood
Trusted IP addresses can be spoofed
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 35
Countermeasures to Spoofing Attacks:
IP Source Guard
Uses the DHCP
10.1.1.1 snooping binding
MAC A table information
10.1.1.3
MAC C 10.1.1.2
Traffic Sent with MAC B
IP 10.1.1.2
Mac C
Received Traffic
Source IP
10.1.1.2
Mac B
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 36
Countermeasures to Spoofing Attacks:
IP Source Guard
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 37
Building the Layers
IP Source
Guard
Port security prevents Dynamic ARP
Inspection
CAM attacks and DHCP
DHCP
starvation attacks Snooping
Dynamic ARP
inspection prevents
current ARP attacks
IP source guard prevents
IP/MAC spoofing
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 38
Agenda
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 39
Spanning Tree Basics
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 40
Spanning Tree Attack Example
Access Switches
Root
Root
Send BPDU messages
to become root bridge
STP
X Blocked
ST
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 41
Spanning Tree Attack Example
Access Switches
Root
Root
Send BPDU messages to Blocked
become root bridge X
The attacker then sees frames he
shouldn’t
MITM, DoS, etc. all possible
Although STP takes link speed into
consideration, it is always done from
the perspective of the root bridge.
Taking a Gb backbone to half-duplex
10 Mb was verified
Requires attacker is dual homed to
two different switches
Root
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 42
STP Attack Mitigation
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Cisco Discovery Protocol
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Basic Trunk Port Defined
Trunk with:
VLAN Native VLAN VLAN
10 VLAN 10 20
VLAN 20
VLAN
VLAN 10
20
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Dynamic Trunk Protocol (DTP)
What is DTP?
Automates 802.1x/ISL trunk
configuration
Operates between switches (Cisco
IP phone is a switch)
Does not operate on routers Dynamic
Support varies, check Trunk
your device Protocol
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 46
Basic VLAN Hopping Attack
Trunk with:
VLAN Native VLAN VLAN
10 VLAN 10 20
VLAN 20
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 47
Double 802.1q Encapsulation
VLAN Hopping Attack
Strip Off First,
and Send
80
Back Out
2.1
q,8
02
.1 q
802.1q Frame
Fr
am
e
Note: Only Works if Trunk Has the
Same VLAN as the Attacker
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 48
Security Best Practices for VLANs
and Trunking
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 49
VLAN Hopping
Counter Measures
Disable trunking on all host ports (except
phones)
Never use VLAN 1 anywhere
Specific VLAN for trunk native VLAN
Disable VLAN tag on access ports
Enforce VLAN tag on trunk ports
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 50
Control Plane Protection
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 51
Switch Management
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 52
Summary
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 53
For your
reference
Dynamic Port
Security
7.6(1) 12.1(13)E 5.1(1) 12.1(13)EW
DHCP 12.1(12c)EW
Snooping
8.3(1) 12.2(18)SXE* N/A
**
12.1(19)EW
DAI 8.3(1) 12.2(18)SXE* N/A
**
IP Source 12.1(19)EW
Guard
8.3(1)* 12.2(18)SXD2 N/A
**
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 54
For your
reference
Feature/ 3750/3560
3550 EMI 2970 EI 2950 EI 2950 SI
Platform EMI
DHCP
Snooping
12.1(25)SE 12.2(25)SEA 12.1(19)EA1 12.1(19)EA1 N/A
IP Source
Guard
12.2(25)SE 12.2(25)SEA N/A N/A N/A
Note: Old Names of the Cisco IOS for the 3000 Series Switches Cisco
IOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 55
For your
reference
Dynamic Port
Security
12.1(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
DHCP
Snooping
12.1(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
IP Source
Guard
12.2(25)SE 12.2(25)SEA 12.1(25)SE 12.2(25)SEA
Note: Old Names of the Cisco IOS for the 3000 Series Switches Cisco
IOS Feature Finder— http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 56
Conclusion
Port Security
ARP inspection
Source Guard
BPDU Guard
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 57
Q&A
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 58
SEC-206 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 59