Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Similar documents
Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

CCNP Switch Questions/Answers Securing Campus Infrastructure

Cisco Networking Academy CCNP

Understanding Switch Security

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Selected Network Security Technologies

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

ActualTorrent. Professional company engaging Providing Valid Actual Torrent file for qualification exams.

Building Cisco Multilayer Switched Networks (BCMSN)

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

Configuring Private VLANs

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

Configuring Private VLANs

2. Network Infrastructure Security -- Switching

ActualTest v by-VA

: Building Cisco Multilayer Switched Networks

CCNP SWITCH (22 Hours)

Massimiliano Sbaraglia

Configuring Dynamic ARP Inspection

actualtests.cisco.ccnp switch by.passforu

Cisco Certified Network Associate ( )

Configuring ARP attack protection 1

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

CCNA Routing and Switching (NI )

Internetwork Expert s CCNP Bootcamp. Hierarchical Campus Network Design Overview

Deploying Layer 2 Security in Server Farms

Cisco.Braindumps v by.Toni.259q. Exam Code: Exam Name: Cisco implementing cisco switched networks

Securing Cisco Network Devices

Configuring Wireless Multicast

DEPARTMENT OF DIGITAL SYSTEMS POSTGRADUATE PROGRAM DIGITAL SYSTEMS SECURITY THESIS

Exam Topics Cross Reference

Configuring Dynamic ARP Inspection

Internetwork Expert s CCNP Bootcamp. VLANs, Trunking, & VTP. VLANs Overview

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Implementing Cisco IP Switched Networks (SWITCH)

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

Configuring ARP attack protection 1

Configuring DHCP Features and IP Source Guard

Configuring IEEE 802.1x Port-Based Authentication

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Fundamental IOS Security

Configuring IPv6 First-Hop Security

48-Port 10/100/1000BASE-T + 4-Port 100/1000BASE-X SFP Gigabit Managed Switch GS T4S

A Framework for Optimizing IP over Ethernet Naming System

CCNA Security 1.0 Student Packet Tracer Manual

Configuring Private VLANs Using NX-OS

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Configuring DHCP Features and IP Source Guard

Configuring Port-Based Traffic Control

Analysis on new possibility security threads in IEEE 802.1CQ

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

References: tates-roles.html

Cisco Exam Bundle

Introduction to Switched Networks Routing And Switching

CCNA Routing & Switching

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Configuring IEEE 802.1x Port-Based Authentication

FiberstoreOS. Security Configuration Guide

DHCP Configuration. Page 1 of 14

ARP Inspection and the MAC Address Table

Networking interview questions

Catalyst 4500 Series IOS Commands

FSOS Security Configuration Guide

User Handbook. Switch Series. Default Login Details. Version 1.0 Edition

Chapter 2. Switch Concepts and Configuration. Part II

Configuring Private Hosts

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

BrainDumps q Implementing Cisco Edge Network Security Solutions

Cisco Exam Bundle

Switched environments security... A fairy tale.

Symbols. Numerics INDEX

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

Configuring Access and Trunk Interfaces

Configuring DHCP Features and IP Source Guard

Catalyst 4500 Series IOS Commands

Authorized CCNP. Student. LabManual SWITCH.

Understanding and Configuring Dynamic ARP Inspection

Control Plane Protection

CCNP Bootcamp. Introduction

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

Interconnecting Cisco Networking Devices: Accelerated

Catalyst 1900 Series and Catalyst 2820 Series Enterprise Edition Software Configuration Guide

Configuring Private VLANs

Configuring Port-Based Traffic Control

cisco. Number: Passing Score: 800 Time Limit: 120 min.

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN


Cisco. Exam Questions SWITCH Implementing Cisco IP Switched Networks. Version:Demo

Written by Alexei Spirin Wednesday, 02 January :06 - Last Updated Wednesday, 02 January :24

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

Configuring Web-Based Authentication

S4600-SI Series L2 Gigabits Dual Stack Intelligent Switch Datasheet

Configuring Port-Based Traffic Control

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Transcription:

Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above it are compromised As usual, knowing is half the battle What are common types of attacks? How do we detect them? How do we stop them? Copyright 2010 Internetwork Expert 1

VLAN Hopping Attack Attacking host attached to Ethernet network sends 802.1Q / ISL tagged frames into switched network in order to hop over VLAN barriers Two variations Host runs Dynamic Trunking Protocol (DTP) to actually form a trunk link with the adjacent switch Host sends frames double tagged with 802.1q headers Outside header is padding Inside header is tagged with destination VLAN of victim VLAN Hopping Mitigation Host facing interfaces should not be dynamic ports switchport mode access Don t use VLAN 1, ever! Unused ports should be assigned to unused non VLAN 1 VLAN Native VLAN should be changed to new administrative VLAN Copyright 2010 Internetwork Expert 2

CAM Table Attacks Switch s Content Addressable Memory (CAM) table associates destination MAC address with outgoing interface If CAM table is full all unknown entries are treated like broadcast traffic Forward out all ports in VLAN except the one it was received on Attacker floods frames with random source MAC addresses until CAM table fills up VLAN essentially turns into a hub Port Security CAM Attack Mitigation Limit the amount of source MAC addresses on a port Limit the specific MAC address allowed on a port Shut down the port or filter traffic if a violation occurs Generate a syslog or SNMP trap for notification Copyright 2010 Internetwork Expert 3

Man-in in-the-middle (MiM( MiM) ) Attack Spanning-Tree Protocol Attacks STP is designed to prevent physical loops in the network Attacks against STP can be for DoS or for MiM DoS with configuration BPDU or TCN BPDU MiM by claiming root bridge Mitigation Root guard BPDU guard Copyright 2010 Internetwork Expert 4

DHCP Starvation Attack DHCP server has finite IP address scope Attacker sends flood of DHCP requests with spoofed source MAC addresses DHCP server leases one IP address per MAC address until pool is depleted Victim hosts are starved of a DHCP lease DHCP Starvation Mitigation Port Security Limit the amount of source MAC addresses on a port Limit the specific MAC address allowed on a port Shut down the port or filter traffic if a violation occurs Generate a syslog or SNMP trap for notification Copyright 2010 Internetwork Expert 5

DHCP Starvation Variation Port security can be used to limit number of MAC addresses on an interface Attacker can t generate DHCP requests with lots of source MAC addresses Some DHCP implementation don t use client source MAC address but instead use Client Hardware Address inside DHCP request payload Attacker can keep source MAC address in Ethernet frame the same but change the source MAC address in the DHCP packet Port security sees only one source MAC address - same starvation attack result DHCP Starvation Mitigation DHCP Snooping Listens for DHCP traffic between client and server Builds IP to MAC mapping on a per interface basis Additional DHCP requests are dropped on interfaces that already have IP to MAC binding in the snooping table Copyright 2010 Internetwork Expert 6

Rogue DHCP Server Attack DHCP requests are layer 2 broadcasts within the VLAN By default anyone could reply to a host s DHCP request Can facilitate simple DoS, or worse, MiM attack For MiM attacker replies to host s request with Itself as default gateway Sniff all traffic then forward to correct gateway Transparent from victim perspective Itself as DNS server Redirect www.cisco.com to phishing website Rogue DHCP Server Mitigation DHCP Snooping Port connected to DHCP server is in snooping trust state DHCP replies denied in all other ports Copyright 2010 Internetwork Expert 7

Rogue DHCP Server Mitigation If switches don t support snooping DHCP request uses UDP port 67 DHCP reply users UDP 68 Filter DHCP replies from all sources except DHCP server Can use port ACLs but VACLs would be more efficient ARP Spoofing Attacks ARP is normally request / reply protocol What is 1.2.3.4 s MAC address? I m 1.2.3.4, my MAC address is Gratuitous is an unsolicited ARP reply Legitimate use is to refresh neighbors ARP cache Illegitimate use is to spoof someone else s MAC address Can be used to facilitate MiM attack Copyright 2010 Internetwork Expert 8

ARP Attack Mitigation DHCP Snooping & Dynamic ARP Inspection DHCP snooping builds IP and MAC binding table When ARP replies are received the snooping table is checked to see if IP source and MAC address in ARP match Malformed replies are dropped MAC Spoofing Attack Attacker simply modifies source MAC and/or IP address to look like someone else From victim s perspective it looks like legitimate host Copyright 2010 Internetwork Expert 9

MAC Spoofing Mitigation IP Source Guard Works like Dynamic ARP Inspection but checks all packets instead of just ARP Consults DHCP snooping table If source IP address and MAC don t match snooping table traffic is dropped MAC Spoofing Mitigation If switches don t support IP Source Guard Port security can be used to allow only specific source MAC address or limit number of MAC addresses allowed in the interface Copyright 2010 Internetwork Expert 10

802.1X Authentication Used for username / password authentication between client and switch Uses AAA w/ RADIUS for authentication Stops illegitimate hosts from joining the network in the first place Private VLANs Allow for layer 2 isolation and access control between ports within the same VLAN Can span multiple switches Example: Device A, B, C and D are in VLAN 10 Device A should be allowed to communicate with device B, C, and D Device B and C should be allowed to communicate with device A and each other Device D should only be allowed to communicate with device A Copyright 2010 Internetwork Expert 11

Layer 2 Attacks Q&A Copyright 2010 Internetwork Expert 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback