Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Transcription

1 Network Security The Art of War in The LAN Land Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

2 Part I MAC Attacks

3 MAC Address/CAM Table Review 48 Bit Hexadecimal Number Creates Unique Layer 2 Address ABC First 24 bits = Manufacture code cXX.XXXX All FFs = Broadcast FFFF.FFFF.FFFF Second 24 bits = Specific interface cXX.XXXX CAM table stands for Content Addressable Memory. The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN. All CAM tables have a fixed size. 3

4 Normal CAM Behavior 1/3 4

5 Normal CAM Behavior 2/3 5

6 Normal CAM Behavior 3/3 6

7 MAC Address Spoofing 1/2 7

8 MAC Address Spoofing 2/2 8

9 CAM Overflow 1/3 Macof tool since 1999 About 100 lines of perl. Included in the dsniff tool. Attack successful by exploiting the size limit on CAM tables. To keep hosts that work with sensitive data on a separate VLAN. To isolate the traffic coming from untrusted parts from the network. 9

10 CAM Overflow 2/3 10

11 CAM Overflow 3/3 The attacker sends a continuous set of frames with random source MAC. Because CAM tables have limited size, eventually the switch will run out of room and not have any more space for new MAC addresses. Since there is no more room in the CAM table for the host without an entry, all communications to that host must be flooded. The attacker can now see all the traffic sent from the victim host to the host without a CAM table entry. This could include passwords, usernames, and so forth. 11

12 Caveats for MAC Attacks with a completely full CAM table, traffic is flooded only on the local VLAN, meaning traffic on VLAN 10 stays on VLAN 10, but everyone with a port on VLAN 10 will see the traffic. Because of the flooding, this attack could also flood the CAM table on adjacent switches. Because of the sheer quantity of traffic the attacker sends, this attack might also result in a DoS condition on the network. 12

13 Countermeasures for MAC Attacks Port Security Limits the Amount of MACs on an Interface. 13

14 Port Security In the past you would have to type in the only MAC you were going to allow on that port. You can now put a limit to how many MAC address a port will learn. You might still want to do static MAC entries on ports that there should be no movement of devices, as in server farms. 14

15 Part II DHCP Attacks

16 DHCP Function: High Level 16

17 DHCP Function: Lower Level 17

18 DHCP Starvation Attack The DHCP Server leases a new IP address for each new MAC address. Attackers could continue to request IP addresses from a DHCP server by changing their source MAC addresses in much the same way as is done in a CAM table flooding attack. The goal is to try to lease all of the DHCP addresses available in the DHCP scope. This is a Denial of Service DoS attack using DHCP leases 18

19 Countermeasures for DHCP Starvation Attack Exercise. 19

20 Rogue DHCP Server Attack 20

21 Rogue DHCP Server Attack Wrong default Gateway Attacker is the gateway. Wrong DNS server Attacker is DNS server. Wrong IP address Attacker does DOS with incorrect IP. 21

22 Countermeasures: DHCP Snooping DHCP snooping works by separating trusted from untrusted interfaces on a switch. Trusted interfaces are allowed to respond to DHCP requests; untrusted interfaces are not. 22

23 DHCP Snooping Binding Table Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. 23

24 Countermeasures: DHCP VACLs Not all switches support DHCP Snooping. The VACL can specify which addresses are able to send DHCP replies. These replies will come from the unicast IP address of the DHCP server offering the lease. By filtering these replies by source address, rogue DHCP servers can be properly filtered. 24

25 DHCP VACLs Example 1/2 The VACL can specify that only DHCP answers coming from the Default Gateway are accepted. 25

26 DHCP VACLs Example 2/2 The user PC boots up and sends a DHCP request with source and destination Both the default router and the rogue DHCP server see this request. The rogue DHCP server replies, but since the source IP address is not , the reply is dropped by the access switch. The default router passes the DHCP request to the real DHCP server, receives a reply, and passes this information on to the client. The client connects and uses the network. 26

27 Security Consideration for DHCP VACLs Using VACLs to stop rogue DHCP servers is far from comprehensive protection. The rogue server could still spoof the IP address of the legitimate DHCP server. 27

28 Part III ARP Attacks

29 ARP Function Review Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address. All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply. 29

30 ARP Function Review A client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables. Anyone can claim to be the owner of any IP/MAC address they like send an ARP reply. 30

31 ARP Attack in Action Attacker poisons the ARP tables 31

32 ARP Attack in Action All traffic flows through the attacker 32

33 ARP Attack Clean up Attacker corrects ARP tables entries. 33

34 Countermeasure: Dynamic ARP Inspection All ARP packets must match the IP/MAC Binding table entries. If the entries do not match, throw them in the bit bucket. 34

35 Dynamic ARP Inspection Uses the information from the DHCP Snooping Binding table. Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, if not, traffic is blocked. ARP inspection allows VLAN ACLs (VACLs) to be applied to ARP traffic flowing across a specific VLAN on the switch 35

36 Part IV Other Considerations

37 Cisco Discovery Protocol (CDP) CDP allows Cisco devices to exchange information about one another's capabilities. CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. CDP information includes: Hostname, Native VLAN, Duplex setting, Software version, VTP domain settings. 37

38 Security Considerations for CDP CDP is in the clear and unauthenticated. An attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device. CDP can be used to learn sensitive information about the CDP sender (IP address, software version, router model ). Some Cisco applications make use of CDP. 38

39 CDP Security Recommandations Consider disabling CDP, or being very selective in its use in security sensitive environments. Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus CDP packets. 39

40 Private VLAN (PVLAN) Recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast subdomains, introducing sub-vlans inside a VLAN. PVLANs cannot communicate directly with each other they require an L3 device to forward packets between separate subdomains. In turn, the L3 device may either permit or forbid communications between sub-vlans using access-lists. 40

41 Why use PVLANs PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other, since the traditional solution of deploying one VLAN per customer is not scalable and is difficult to manage. Another typical use for a PVLAN is to provide per-room Internet access in a hotel. 41

42 PVLAN Overview We take VLAN 1000 and divide it into three PVLANs. 42

43 PVLAN Terminology 1/2 Promiscuous ( P ) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on the VLAN. Isolated ( I ) port: This type of port is only allowed to communicate with P -ports i.e., they are stub port. You commonly see these ports connecting to hosts. Community ( C ) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to P -ports. 43

44 PVLAN Terminology 2/2 Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from P -ports to all other port types ( I and C ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from P to I and C ). Secondary Isolated VLAN: forwards frames from I ports to P ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port. Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN. 44

45 How PVLAN Works 45

46 How PVLAN Works The Primary VLAN delivers frames downstream from the router (P port) to all mapped hosts. The Isolated VLAN transports frames from the stub hosts upstream to the router. The Community VLANs allow bi-directional frame exchange within a single group, in addition to forwarding frames upstream towards P - ports. Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs. 46

47 PVLAN Ports Connectivity 47

48 Part V Summary

49 Best Practices 1/2 Always use a dedicated VLAN ID for all trunk ports. Avoid using VLAN 1. Set all user ports to non-trunking. Deploy port security when possible for user ports. Choose one or more ARP security options. 49

50 Best Practices 2/2 Use authentication for VTP when VTP is needed. Disable CDP where it is not needed. Disable all unused ports and put them in an unused VLAN. Enable STP attack mitigation (BPDU Guard, Root Guard). Use PVLANs where appropriate. 50