Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Similar documents
Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

CCNP Switch Questions/Answers Securing Campus Infrastructure

Cisco Networking Academy CCNP

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Configuring Private VLANs

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Configuring Private VLANs

Configuring Private VLANs

Building Cisco Multilayer Switched Networks (BCMSN)

Understanding Switch Security

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Understanding and Preventing Layer 2 Attacks in IPv4 Network

CS Paul Krzyzanowski

Configuring ARP attack protection 1

Understanding and Preventing Layer 2 Attacks in an IPv4 Network

Understanding and Preventing Layer 2 Attacks BRKSEC-2002

Fundamental IOS Security

Configuring Private VLANs Using NX-OS

Configuring Private Hosts

Chapter 2. Switch Concepts and Configuration. Part II

ARP Inspection and the MAC Address Table

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Configuring Dynamic ARP Inspection

Configuring ARP attack protection 1

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

CCNP SWITCH (22 Hours)

Configuring Dynamic ARP Inspection

Massimiliano Sbaraglia

SWITCH Implementing Cisco IP Switched Networks

Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview

Campus Networking Workshop. Layer 2 engineering Spanning Tree and VLANs

Q&As Implementing Cisco IP Switched Networks (SWITCH v2.0)

Deploying Layer 2 Security in Server Farms

Configuring DHCP Features and IP Source Guard

Configuring DHCP Features and IP Source Guard

Configuring IPv6 First-Hop Security

ActualTest v by-VA

Switching & ARP Week 3

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Cisco Systems Korea Cisco Systems, Inc. All rights reserved. 1

Understanding and Configuring Dynamic ARP Inspection

Selected Network Security Technologies

Configuring Wireless Multicast

Internetwork Expert s CCNP Bootcamp. Hierarchical Campus Network Design Overview

Cisco. Exam Questions SWITCH Implementing Cisco IP Switched Networks. Version:Demo

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Configuring Private VLANs

Configuring DHCP. Finding Feature Information

Configuring DHCP Features

2. Network Infrastructure Security -- Switching

White Paper. Ruijie DHCP Snooping. White Paper

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Ruijie Anti-ARP Spoofing

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Interconnecting Cisco Networking Devices Part 1 (ICND)

Configuring DHCP Features

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco IP Switched Networks. Version: Demo

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Configuring DHCP Features and IP Source Guard

Cisco CCNP Exam

AN INTRODUCTION TO ARP SPOOFING

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

Switched environments security... A fairy tale.

actualtests.cisco.ccnp switch by.passforu

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Number: Passing Score: 800 Time Limit: 120 min File Version: 9.0. Cisco Questions & Answers

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Finding Feature Information, page 2 Information About DHCP Snooping, page 2 Information About the DHCPv6 Relay Agent, page 8

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring DHCP Snooping

CIT 380: Securing Computer Systems. Network Security Concepts

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Cisco Exam Bundle

A Framework for Optimizing IP over Ethernet Naming System

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

Managing Switches. Finding More Information About IOS Commands CHAPTER

: Building Cisco Multilayer Switched Networks

User Guide TL-R470T+/TL-R480T REV9.0.2

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

HP A3100 v2 Switch Series

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping

Cisco Exam Bundle

Private Hosts (Using PACLs)

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Configuring Private VLANs

IPv6 Client IP Address Learning

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

Cisco.Braindumps v by.Toni.259q. Exam Code: Exam Name: Cisco implementing cisco switched networks

CS 457 Lecture 11 More IP Networking. Fall 2011

IT Exam Training online / Bootcamp

Introduction to Switched Networks Routing And Switching

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

Network Configuration Example

DHCP Configuration. Page 1 of 14

Implementing Cisco IP Switched Networks (SWITCH)

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

CHAPTER 1: VLANS. Routing & Switching

Understanding and Configuring Private VLANs

Transcription:

Network Security The Art of War in The LAN Land Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Part I MAC Attacks

MAC Address/CAM Table Review 48 Bit Hexadecimal Number Creates Unique Layer 2 Address 1234.5678.9ABC First 24 bits = Manufacture code 0000.0cXX.XXXX All FFs = Broadcast FFFF.FFFF.FFFF Second 24 bits = Specific interface 0000.0cXX.XXXX CAM table stands for Content Addressable Memory. The CAM table stores information such as MAC addresses available on physical ports with their associated VLAN. All CAM tables have a fixed size. 3

Normal CAM Behavior 1/3 4

Normal CAM Behavior 2/3 5

Normal CAM Behavior 3/3 6

MAC Address Spoofing 1/2 7

MAC Address Spoofing 2/2 8

CAM Overflow 1/3 Macof tool since 1999 About 100 lines of perl. Included in the dsniff tool. Attack successful by exploiting the size limit on CAM tables. To keep hosts that work with sensitive data on a separate VLAN. To isolate the traffic coming from untrusted parts from the network. 9

CAM Overflow 2/3 10

CAM Overflow 3/3 The attacker sends a continuous set of frames with random source MAC. Because CAM tables have limited size, eventually the switch will run out of room and not have any more space for new MAC addresses. Since there is no more room in the CAM table for the host without an entry, all communications to that host must be flooded. The attacker can now see all the traffic sent from the victim host to the host without a CAM table entry. This could include passwords, usernames, and so forth. 11

Caveats for MAC Attacks with a completely full CAM table, traffic is flooded only on the local VLAN, meaning traffic on VLAN 10 stays on VLAN 10, but everyone with a port on VLAN 10 will see the traffic. Because of the flooding, this attack could also flood the CAM table on adjacent switches. Because of the sheer quantity of traffic the attacker sends, this attack might also result in a DoS condition on the network. 12

Countermeasures for MAC Attacks Port Security Limits the Amount of MACs on an Interface. 13

Port Security In the past you would have to type in the only MAC you were going to allow on that port. You can now put a limit to how many MAC address a port will learn. You might still want to do static MAC entries on ports that there should be no movement of devices, as in server farms. 14

Part II DHCP Attacks

DHCP Function: High Level 16

DHCP Function: Lower Level 17

DHCP Starvation Attack The DHCP Server leases a new IP address for each new MAC address. Attackers could continue to request IP addresses from a DHCP server by changing their source MAC addresses in much the same way as is done in a CAM table flooding attack. The goal is to try to lease all of the DHCP addresses available in the DHCP scope. This is a Denial of Service DoS attack using DHCP leases 18

Countermeasures for DHCP Starvation Attack Exercise. 19

Rogue DHCP Server Attack 20

Rogue DHCP Server Attack Wrong default Gateway Attacker is the gateway. Wrong DNS server Attacker is DNS server. Wrong IP address Attacker does DOS with incorrect IP. 21

Countermeasures: DHCP Snooping DHCP snooping works by separating trusted from untrusted interfaces on a switch. Trusted interfaces are allowed to respond to DHCP requests; untrusted interfaces are not. 22

DHCP Snooping Binding Table Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. 23

Countermeasures: DHCP VACLs Not all switches support DHCP Snooping. The VACL can specify which addresses are able to send DHCP replies. These replies will come from the unicast IP address of the DHCP server offering the lease. By filtering these replies by source address, rogue DHCP servers can be properly filtered. 24

DHCP VACLs Example 1/2 The VACL can specify that only DHCP answers coming from the Default Gateway are accepted. 25

DHCP VACLs Example 2/2 The user PC boots up and sends a DHCP request with source 0.0.0.0 and destination 255.255.255.255. Both the default router and the rogue DHCP server see this request. The rogue DHCP server replies, but since the source IP address is not 192.0.2.1, the reply is dropped by the access switch. The default router passes the DHCP request to the real DHCP server, receives a reply, and passes this information on to the client. The client connects and uses the network. 26

Security Consideration for DHCP VACLs Using VACLs to stop rogue DHCP servers is far from comprehensive protection. The rogue server could still spoof the IP address of the legitimate DHCP server. 27

Part III ARP Attacks

ARP Function Review Before a station can talk to another station it must do an ARP request to map the IP address to the MAC address. All computers on the subnet will receive and process the ARP request; the station that matches the IP address in the request will send an ARP reply. 29

ARP Function Review A client is allowed to send an unsolicited ARP reply; this is called a gratuitous ARP; other hosts on the same subnet can store this information in their ARP tables. Anyone can claim to be the owner of any IP/MAC address they like send an ARP reply. 30

ARP Attack in Action Attacker poisons the ARP tables 31

ARP Attack in Action All traffic flows through the attacker 32

ARP Attack Clean up Attacker corrects ARP tables entries. 33

Countermeasure: Dynamic ARP Inspection All ARP packets must match the IP/MAC Binding table entries. If the entries do not match, throw them in the bit bucket. 34

Dynamic ARP Inspection Uses the information from the DHCP Snooping Binding table. Looks at the MacAddress and IpAddress fields to see if the ARP from the interface is in the binding, if not, traffic is blocked. ARP inspection allows VLAN ACLs (VACLs) to be applied to ARP traffic flowing across a specific VLAN on the switch 35

Part IV Other Considerations

Cisco Discovery Protocol (CDP) CDP allows Cisco devices to exchange information about one another's capabilities. CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. CDP information includes: Hostname, Native VLAN, Duplex setting, Software version, VTP domain settings. 37

Security Considerations for CDP CDP is in the clear and unauthenticated. An attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device. CDP can be used to learn sensitive information about the CDP sender (IP address, software version, router model ). Some Cisco applications make use of CDP. 38

CDP Security Recommandations Consider disabling CDP, or being very selective in its use in security sensitive environments. Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus CDP packets. 39

Private VLAN (PVLAN) Recall that VLAN is essentially a broadcast domain. Private VLANs (PVANs) allow splitting the domain into multiple isolated broadcast subdomains, introducing sub-vlans inside a VLAN. PVLANs cannot communicate directly with each other they require an L3 device to forward packets between separate subdomains. In turn, the L3 device may either permit or forbid communications between sub-vlans using access-lists. 40

Why use PVLANs PVLANs are useful for restricting the flow of broadcast and unknown unicast traffic and for limiting the communication between known hosts. Service providers use PVLANs to keep their customers isolated from each other, since the traditional solution of deploying one VLAN per customer is not scalable and is difficult to manage. Another typical use for a PVLAN is to provide per-room Internet access in a hotel. 41

PVLAN Overview We take VLAN 1000 and divide it into three PVLANs. 42

PVLAN Terminology 1/2 Promiscuous ( P ) port: Usually connects to a router. This port type is allowed to send and receive L2 frames from any other port on the VLAN. Isolated ( I ) port: This type of port is only allowed to communicate with P -ports i.e., they are stub port. You commonly see these ports connecting to hosts. Community ( C ) port: Community ports are allowed to talk to their buddies, sharing the same community (group) and to P -ports. 43

PVLAN Terminology 2/2 Primary VLAN (VLAN 1000 in our example). This VLAN is used to forward frames downstream from P -ports to all other port types ( I and C ports) in the system. Essentially, Primary VLAN embraces all ports in the domain, but only transports frames from the router to hosts (from P to I and C ). Secondary Isolated VLAN: forwards frames from I ports to P ports. Since Isolated ports do not exchange frames with each other, we can use just ONE isolated VLAN to connect all I-Port to the P-port. Secondary Community VLANs: Transport frames between community ports (C-ports) within to the same group (community) and forward frames upstream to the P-ports of the primary VLAN. 44

How PVLAN Works 45

How PVLAN Works The Primary VLAN delivers frames downstream from the router (P port) to all mapped hosts. The Isolated VLAN transports frames from the stub hosts upstream to the router. The Community VLANs allow bi-directional frame exchange within a single group, in addition to forwarding frames upstream towards P - ports. Ethernet MAC address learning and forwarding procedure remain the same, as well as broadcast/multicast flooding procedure within boundaries of primary/secondary VLANs. 46

PVLAN Ports Connectivity 47

Part V Summary

Best Practices 1/2 Always use a dedicated VLAN ID for all trunk ports. Avoid using VLAN 1. Set all user ports to non-trunking. Deploy port security when possible for user ports. Choose one or more ARP security options. 49

Best Practices 2/2 Use authentication for VTP when VTP is needed. Disable CDP where it is not needed. Disable all unused ports and put them in an unused VLAN. Enable STP attack mitigation (BPDU Guard, Root Guard). Use PVLANs where appropriate. 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback