06- Securing the Local Area Network

Ahmed Sultan
CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH
1

2009 Cisco Learning Institute.

Layer 2 Security

Perimeter
ACS

Firewall

Internet
VPN IPS

Hosts
Web Server Email Server

DNS

2009 Cisco Learning Institute.

OSI Model
When it comes to networking, Layer 2 is often a very weak link.
Application Stream

Application Presentation Session Transport Network Data Link Physical

Application Presentation

Compromised

Session Protocols and Ports IP Addresses Initial MACCompromise Addresses Physical Links Transport Network Data Link Physical

2009 Cisco Learning Institute.

MAC Address Spoofing Attack

1 2 12AbDd

Switch Port

AABBcc

MAC Address: AABBcc

The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another hostin this case, AABBcc

Port 1 Port 2

MAC Address: 12AbDd

MAC Address: AABBcc

Attacker

I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly.
2009 Cisco Learning Institute.

MAC Address Spoofing Attack

I have changed the MAC address on my computer to match the server.
1 2 AABBcc

Switch Port 1 AABBcc 2

Attacker

MAC Address: Port 1 AABBcc

Port 2

MAC Address: AABBcc

The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly.
2009 Cisco Learning Institute.

MAC Address Table Overflow Attack

The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MACaddress mappings in the MAC address table for these PCs.

2009 Cisco Learning Institute.

MAC Address Table Overflow Attack

2
Bogus addresses are added to the CAM table. CAM table is full. MAC X Y C 3/25 VLAN 10 VLAN 10 flood Port 3/25 3/25 3/25
XYZ

1
Intruder runs macof to begin sending unknown bogus MAC addresses.
3/25 MAC X 3/25 MAC Y 3/25 MAC Z

VLAN 10

Host C

The switch floods the frames.

4
Attacker sees traffic to servers B and D.

C
2009 Cisco Learning Institute.

D
7

LAB
MAC ADDRESS TABLE OVERFLOW ATTACK
2009 Cisco Learning Institute.

STP Manipulation Attack

Spanning tree protocol operates by electing a root bridge
F F F

Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234

STP builds a tree topology STP manipulation changes the topology of a networkthe attacking host appears to be the root bridge

2009 Cisco Learning Institute.

Configure Portfast

Server

Workstation

Command Switch(config-if)# spanningtree portfast Switch(config-if)# no spanning-tree portfast Switch(config)# spanning-tree portfast default Switch# show running-config interface type slot/port
2009 Cisco Learning Institute.

Description Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Globally enables the PortFast feature on all nontrunking ports. Indicates whether PortFast has been configured on a port.

10

STP Manipulation Attack

Root Bridge Priority = 8192

F F

F F F

F
Root Bridge

Attacker

The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
11

2009 Cisco Learning Institute.

BPDU Guard
Root Bridge

F F

B
BPDU Guard Enabled

Attacker

STP BPDU

Switch(config)# spanning-tree portfast bpduguard default

Globally enables BPDU guard on all ports with PortFast enabled

2009 Cisco Learning Institute.

12

Root Guard
Root Bridge Priority = 0 MAC Address = 0000.0c45.1a5d

F F

F
Root Guard Enabled

Attacker

STP BPDU Priority = 0 MAC Address = 0000.0c45.1234

Switch(config-if)# spanning-tree guard root

Enables root guard on a per-interface basis

2009 Cisco Learning Institute.

13

LAN Storm Attack

Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast

Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network.
2009 Cisco Learning Institute.

14

VLAN Attacks

Segmentation Flexibility Security

VLAN = Broadcast Domain = Logical Network (Subnet)

2009 Cisco Learning Institute.

15

VLAN Hopping Attack

802.1Q Trunk VLAN 20 Server VLAN 10

Attacker sees traffic destined for servers

Server

A VLAN hopping attack can be launched by spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode.

2009 Cisco Learning Institute.

16

Port Security Overview

MAC A

Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C

0/1 0/2 0/3

MAC A MAC F

Attacker 1

Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
2009 Cisco Learning Institute.

Attacker 2

17

CLI Commands
Switch(config-if)# switchport mode access

Sets the interface mode as access

Switch(config-if)# switchport port-security

Enables port security on the interface

Switch(config-if)# switchport port-security maximum value

Sets the maximum number of secure MAC addresses for the interface (optional)

2009 Cisco Learning Institute.

18

LAB
MAC ADDRESS TABLE OVERFLOW ATTACK
2009 Cisco Learning Institute.

19

Mitigating VLAN Attacks

Trunk (Native VLAN = 10)

1. Disable trunking on all access ports. 2. Disable auto trunking and manually enable trunking 3. Be sure that the native VLAN is used only for trunk lines and no where else
2009 Cisco Learning Institute.

20

Controlling Trunking
Switch(config-if)# switchport mode trunk

Specifies an interface as a trunk link

. Switch(config-if)# switchport nonegotiate

Prevents the generation of DTP frames.

Switch(config-if)# switchport trunk native vlan vlan_number

Set the native VLAN on the trunk to an unused VLAN

2009 Cisco Learning Institute.

21