© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing LAN and WLAN Devices Mitigating Layer 2 Attacks

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Mitigating VLAN Hopping Attacks Preventing STP Manipulation Migrating DHCP Server Spooting with DHCP Snooping Mitigating ARP Spoofing with DAI CAM Table Overflow Attacks MAC Address Spoofing Attacks Using Port Security to Prevent Attacks Configuring Cisco Catalyst Switch Port Security Layer 2 Best Practices Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v VLAN Hopping by Switch Spoofing Trunk Port Rogue Trunk Port An attacker tricks a network switch into believing that it is a legitimate switch on the network needing trunking. Auto trunking allows the rogue station to become a member of all VLANs. Note: There is no way to execute switch spoofing attacks unless the switch is misconfigured.

© 2006 Cisco Systems, Inc. All rights reserved. SND v VLAN Hopping by Double Tagging The attacker sends double-encapsulated 802.1Q frames. The switch performs only one level of decapsulation. Only unidirectional traffic is passed. The attack works even if the trunk ports are set to off. Attacker (VLAN 10) Victim (VLAN 20) Frame Note: This attack works only if the trunk has the same native VLAN as the attacker Q, 802.1Q The first switch strips off the first tag and sends it back out Q, Frame Trunk (Native VLAN = 10) Note: There is no way to execute these attacks unless the switch is misconfigured.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating VLAN Hopping Network Attacks Router(config-if)# switchport mode access Example 1: If no trunking is required on an interface Router(config-if)# switchport mode trunk Router(config-if)# switchport nonegotiate Example 2: If trunking is required Example 3: If trunking is required Router(config-if)# switchport trunk native vlan vlan number Disable trunking on the interface. Enable trunking but prevent DTP frames from being generated. Set the native VLAN on the trunk to an unused VLAN.

© 2006 Cisco Systems, Inc. All rights reserved. SND v STP Attack On booting the switch, STP identifies one switch as a root bridge and blocks other redundant data paths. STP uses BPDUs to maintain a loop-free topology. X FF F F B F F F A Root B F = Forwarding Port B = Blocking Port

© 2006 Cisco Systems, Inc. All rights reserved. SND v F STP Attack (Cont.) The attacker sends spoofed BPDUs to change the STP topology. Access Switches F The attacker now becomes the root bridge. Access Switches Root F F F F B X F F F F B F STP X

© 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating STP Attacks with bpdu-guard and guard root Commands Mitigates STP manipulation with bpduguard command IOS(config)#spanning-tree portfast bpduguard Mitigates STP manipulation with guard root command IOS(config-if)#spanning-tree guard root

© 2006 Cisco Systems, Inc. All rights reserved. SND v Spoofing the DHCP Server 1. An attacker activates a DHCP server on a network segment. 2. The client broadcasts a request for DHCP configuration information. 3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. 4. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. ClientRogue DHCP Attacker Legitimate DHCP Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted. –Trusted ports can send DHCP requests and acknowledgements. –Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command. ClientRogue DHCP Attacker Legitimate DHCP Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v ARP Spoofing: Man-in-the-Middle Attacks = MAC C.C.C.C ARP Table in Host A IP MAC A.A.A.A A B = MAC C.C.C.C ARP Table in Host B = MAC B.B.B.B = MAC A.A.A.A ARP Table in Host C C IP MAC C.C.C.C 1. IP ? MAC for Legitimate ARP reply = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies bound to C.C.C.C bound to C.C.C.C Attacker IP MAC B.B.B.B AB C A = host A B = host B C = host C

© 2006 Cisco Systems, Inc. All rights reserved. SND v Mitigating Man-in-the-Middle Attacks with DAI MAC or IP Tracking Built on DHCP Snooping DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. DAI Function: Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP

© 2006 Cisco Systems, Inc. All rights reserved. SND v DAI in Action A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping GARP is sent to attempt to change the IP address to MAC bindings. Gateway is Attacker is not gateway according to this binding table I am your gateway:

© 2006 Cisco Systems, Inc. All rights reserved. SND v Learns by Flooding the Network MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MACPort A1 C3 The CAM table is incomplete. MAC B is unknown, so the switch will flood the frame. MAC C sees traffic to MAC B.

© 2006 Cisco Systems, Inc. All rights reserved. SND v B->A MAC A MAC B MAC C Port 1 MACPort A1 C3 Port 2 Port 3 B2B2 Host C drops the packet addressed to host B. CAM learns that MAC B is on Port 2. CAM Learns MAC B Is on Port 2 MAC A = host A MAC B = host B MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved. SND v A->B MAC A MAC B MAC C Port 1 MACPort A 1 C 3 Port 2 Port 3 B 2 CAM has learned MAC B is on Port 2. MAC C does not see traffic to MAC B anymore. CAM tables are limited in size. CAM Table Is UpdatedFlooding Stops MAC A = host A MAC B = host B MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved. SND v Y->? MAC A MAC B Port 1 MACPort A1 B2 C3 Port 2 Port 3 MACPort X3 B2 C3 MACPort X3 Y3 C3 MAC C X->? Macof starts sending unknown bogus MAC addresses. Intruder runs macof on MAC C. Y is on Port 3 and CAM is updated. X is on Port 3 and CAM is updated. Bogus addresses are added to the CAM table. Intruder Launches macof Utility

© 2006 Cisco Systems, Inc. All rights reserved. SND v The CAM table is full, so Port 3 is closed. The CAM Table OverflowsSwitch Crumbles Under the Pressure MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B MACPort X3 Y3 C3 MAC B is unknown, so the switch floods the frame looking for MAC B. MAC A = host A MAC B = host B MAC C = host C

© 2006 Cisco Systems, Inc. All rights reserved. SND v MAC Address Spoofing Attack AA AA BB (Attacker) B Switch Port Table B DEST MAC: A Switch Port Table A B C A,B C Host Spoofed Switch Port Table Updated Switch Port Table SRC: MAC (A) SRC = Source DEST = Destination

© 2006 Cisco Systems, Inc. All rights reserved. SND v Using Port Security to Mitigate Attacks Port security can mitigate attacks by these methods: Blocking input to a port from unauthorized MAC addresses Filtering traffic to or from a specific host based on the host MAC address Port security mitigates these: CAM table overflow attacks MAC address spoofing attacks

© 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Fundamentals This feature restricts input to an interface by limiting and identifying MAC addresses of end devices. Secure MAC addresses are included in an address table in one of these ways: –Use the switchport port-security mac-address mac_address interface configuration command to configure all secure MAC addresses –Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices –Configure some addresses and allow the rest to be configured dynamically Configure restrict or shutdown violation rules.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Configuration Secure MAC addresses are these types: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses Security violations occur in these situations: A station whose MAC address is not in the address table attempts to access the interface when the table is full. An address is being used on two secure interfaces in the same VLAN.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Defaults FeatureDefault Setting Port securityDisabled on a port Maximum number of secure MAC addresses 1 Violation modeShutdown (The port shuts down when the maximum number of secure MAC addresses is exceeded, and an SNMP trap notification is sent.)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Port Security on a Cisco Catalyst Switch 1. Enter global configuration mode. 2. Enter interface configuration mode for the port that you want to secure. 3. Enable basic port security on the interface. 4. Set the maximum number of MAC addresses allowed on this interface. 5. Set the interface security violation mode. The default is shutdown. For mode, select one of these keywords: shutdown restrict protect 6. Return to privileged EXEC mode. 7. Verify the entry.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Port Security Configuration Script Switch# configure terminal Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security aging time 20 Switch(config-if)# end Use these configuration parameters: Enable port security on Fast Ethernet port 1 Set the maximum number of secure addresses to 50 Set violation mode to default No static secure MAC addresses needed Enable sticky learning

© 2006 Cisco Systems, Inc. All rights reserved. SND v Verify the Configuration Switch# show port-security interface fastethernet0/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses :50 Total MAC Addresses: 11 Configured MAC Addresses: 0 Sticky MAC Addresses :11 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0

© 2006 Cisco Systems, Inc. All rights reserved. SND v Layer 2 Best Practices Restrict management access to the switch so that parties on nontrusted networks cannot exploit management interfaces and protocols such as SNMP. Avoid using clear text management protocols on a hostile network. Turn off unused and unneeded network services. Use port security mechanisms to limit the number of allowed MAC addresses to provide protection against a MAC flooding attack. Use a dedicated native VLAN ID for all trunk ports. Shut down unused ports in the VLAN. Prevent denial-of-service attacks and other exploits by locking down the Spanning Tree Protocol and other dynamic protocols. Avoid using VLAN 1, where possible, for trunk and user ports. Use DHCP snooping and DAI to mitigate man-in-the-middle attacks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Disabling auto trunking mitigates VLAN hopping attacks. The guard root command and the bpduguard command mitigate STP attacks. DAI can protect against man-in-the-middle attacks. To prevent DHCP attacks, use the DHCP snooping and the port security feature on the Cisco Catalyst switches. Mitigate CAM table overflow attacks with Cisco IOS software commands. Configuring port security can prevent MAC address spoofing attacks. Limiting the number of valid MAC addresses allowed on a port provides many benefits. Configure port security with Cisco IOS software commands. Following best practices mitigates Layer 2 attacks.

© 2006 Cisco Systems, Inc. All rights reserved. SND v