1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Switching & Operations. Address learning Forward/filter decision Loop avoidance Three Switch Functions.
Cisco 3 - Switch Perrine. J Page 15/8/2015 Chapter 8 What happens to the member ports of a VLAN when the VLAN is deleted? 1.They become inactive. 2.They.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Wireless and Switch Security NETS David Mitchell.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Securing the Local Area Network
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID 802.1x OVERVIEW Sudhir Nath Product Manager, Trust.
Secure LAN Switching Layer 2 security Introduction Port-level controls
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Virtual LAN Design Switches also have enabled the creation of Virtual LANs (VLANs). VLANs provide greater opportunities to manage the flow of traffic on.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 7 Spanning Tree Protocol.
Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.
– Chapter 5 – Secure LAN Switching
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 7 Spanning-Tree Protocol Cisco Networking Academy.
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 LAN Switching and Wireless Implement Spanning Tree Protocols (STP) Chapter.
Lecture2 Secured Network Design W.Lilakiatsakun.  ARP  Problems with ARP / Countermeasures  VLAN  Attacking on VLAN / Countermeasures Topics.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
© 2002, Cisco Systems, Inc. All rights reserved..
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
LOGO Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Local Area Network (LAN) Layer 2 Switching and Virtual LANs (VLANs) Chapter 6.
FIRST TC 2002 John Kristoff - DePaul University 1 Local Network Attacks John Kristoff DePaul University Chicago, IL
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 6: Securing the Local Area Network
Switching Topic 2 VLANs.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against VLAN Attacks.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 7 Spanning Tree Protocol.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Switching in an Enterprise Network Introducing Routing and Switching in the.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Spanning Tree Protocols (STP) LAN Switching and Wireless – Chapter.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
انجمن سیسکو به پارسی آشنایی با برخی حملات در لایه 2 آشنایی با برخی حملات در لایه 2 علیرضا.
Cisco Implementing Cisco IP Switched Networks (SWITCH )
Basic Edge Core switch Training for Summit Communication.
Security fundamentals
CCNA Practice Exam Questions
Instructor Materials Chapter 5: Network Security and Monitoring
Exploiting Layer 2 By Balwant Rathore.
Instructor Materials Chapter 6 Building a Home Network
SECURITY ZONES.
© 2002, Cisco Systems, Inc. All rights reserved.
Spanning Tree Protocol
– Chapter 5 – Secure LAN Switching
VLANs: Virtual Local Area Networks
Chapter 2: Basic Switching Concepts and Configuration
Configuring Catalyst Switch Operations
Spanning Tree Protocol
Chapter 5: Network Security and Monitoring
Spanning Tree Protocol
Network hardening Chapter 14.
Presentation transcript:

1 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Ethernet: Layer 2 Security Eric Vyncke Cisco Systems Distinguished Engineer

222 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security The Domino Effect Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem Security is only as strong as your weakest link When it comes to networking, layer 2 can be a VERY weak link Physical Links MAC Addresses IP Addresses Protocols/Ports Application Stream Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise Compromised

3 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security MAC Attacks

444 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security MACport A1 B2 C3 X->? X is on port 3 MACport X3 B2 C3 MACport X3 Y3 C3 Y is on port 3 MAC A MAC B MAC C Port 1 Port 2 Port 3 Y->? CAM Overflow 1/2

555 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security MACport X3 Y3 C3 A->B B unknown… flood the frame I see traffic to B ! MAC A MAC B MAC C Port 1 Port 2 Port 3 A->B CAM Overflow 2/2

666 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security MAC Flooding Attack Mitigation Port SecurityPort Security Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port Upon detection of an invalid MAC block only the offending MAC or just shut down the port Smart CAM tableSmart CAM table Never overwrite existing entries Only time-out inactive entries Active hosts will never be overwritten Speak firstSpeak first Deviation from learning bridge: never flood Requires a hosts to send traffic first before receiving

7 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security ARP Attacks

888 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security ARP Spoofing IP a MAC A IP b MAC B IP c MAC C C is sending faked gratuitous ARP reply to A C sees traffic from IP a to IP b C->A, ARP, b=C A->C, IP, a->b C->B, IP, a->b

999 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Mitigating ARP Spoofing ARP spoofing works only within one VLAN static ARP tablestatic ARP table on critical stations (but dynamic ARP override static ARP on most hosts!) ARP ACLARP ACL: checking ARP packets within a VLAN Either by static definition Or by snooping DHCP for dynamic leases No direct communicationNo direct communication among a VLAN: private VLAN Spoofed ARP packet cannot reach other hosts

10 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Promiscuous Port Isolated Ports Primary VLAN Isolated VLAN x x x x ARP Spoof Mitigation: Private VLANs

11 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security VLAN “Hopping” Attacks

12 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Trunk Port Refresher Trunk ports have access to all VLANs by default Used to route traffic for multiple VLANs across the same physical link (generally used between switches) Trunk Port

13 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Basic VLAN Hopping Attack A station can spoof as a switch with 802.1Q signaling The station is then member of all VLANs Requires a trunking favorable setting on the port (the SANS paper is three years old) Trunk Port

14 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Double Encapsulated 802.1Q VLAN Hopping Attack Send double encapsulated 802.1Q frames Switch performs only one level of decapsulation Unidirectional traffic only Works even if trunk ports are set to off Attacker Note: Only Works if Trunk Has the Same Native VLAN as the Attacker Victim 802.1q, 802.1q 802.1q, Frame Strip off First, and Send Back out Frame

15 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Mitigation Use recent switches Disable auto-trunking Never put host in the trunk native VLAN Put unused ports in an unused VLAN

16 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Spanning Tree Attacks

17 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Spanning Tree Basics Loop-Free Connectivity X X A Switch Is Elected as Root F F F F F F F B B F F F A ‘Tree-Like’ Loop-Free Topology Is Established F F A Root B

18 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Spanning Tree Attack Example 1/2 Send BPDU messages from attacker to force spanning tree recalculations Impact likely to be DoS Send BPDU messages to become root bridge Attacker Access Switches Root F F F F F F F F X X BB F F STP

19 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security BB F F Spanning Tree Attack Example 2/2 Send BPDU messages from attacker to force spanning tree recalculations Impact likely to be DoS Send BPDU messages to become root bridge The hacker then sees frames he shouldn’t MITM, DoS, etc. all possible Any attack is very sensitive to the original topology, trunking, PVST, etc. Requires attacker to be dual homed to two different switches Attacker Access Switches Root F F F F F F F F F F BB X X

20 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security STP Attack Mitigation Disable STPDisable STP (It is not needed in loop free topologies) BPDU GuardBPDU Guard Disables ports upon detection of a BPDU message on the port Root GuardRoot Guard Disables ports who would become the root bridge due to their BPDU advertisement

21 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Other Attacks

22 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security DHCP Rogue Server Attack Simply the installation of an unknown DHCP Server in the local subnet Other attack: exhaustion of DHCP pools RFC 3118 “Authentication for DHCP Messages” will help, but has yet to be implemented Mitigation: Consider using multiple DHCP servers for the different security zones of your network Use intra VLAN ACL to block DHCP traffic from unknown server

23 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security ProActive Defense

24 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Wire-Speed Access Control Lists Many current switches offer wire-speed ACLs to control traffic flows (with or without a router port) Allows implementation of edge filtering that might otherwise not be deployed due to performance concerns VLAN ACLs and Router ACLs are typically the two implementation methods

25 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Network Intrusion Detection System Network IDS are now able to Understand trunking protocols Fast enough to handle 1 Gbps Including management of alerts ! Understand layer 2 attacks

26 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security 802.1x 802.1x is an IEEE Standard for Port Based Network Access Control EAP based Improved user authentication: username and password Can work on plain or

27 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security IEEE 802.1X Terminology Authenticator (e.g. Switch, Access Point) Supplicant Enterprise Network Semi-Public Network / Enterprise Edge Authentication Server RADIUSRADIUS EAP Over Wireless (EAPOW) Encrypted RADIUS EAP Over LAN (EAPOL)

28 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security What Does it Do? Transport authentication information in the form of Extensible Authentication Protocol (EAP) payloads. The authenticator (switch) becomes the middleman for relaying EAP received in 802.1x packets to an authentication server by using RADIUS to carry the EAP information. Three forms of EAP are specified in the standard EAP-MD5 – MD5 Hashed Username/Password EAP-OTP – One-Time Passwords EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL) - Preferred Method Of Authentication 802.1x Header EAP Payload

29 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Example Solution “A”—Access Control and User Policy Enforcement Login Request Credentials Check with Policy DB Login Good! Apply Policies This Is John Doe! He Goes into VLAN 5 User Has Access to Network, with Applicable VLAN Set port VLAN to 5 Switch Applies Policies and Enables Port

30 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Example Solution “B” – Access For Guest Users Login Request User has access to DMZ or “Quarantine” network. Switch applies policies and enables port. Login Request Authentication timeout. Retries expired. Client is not 802.1x capable. Put them in the quarantine zone! Set port VLAN to DMZ Set port QoS Tagging to 7 Set QoS rate limit for 2Mbps

31 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet security Summary

32 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Layer 2 Security Best Practices 1/2 Manage switches in as secure a manner as possible (SSH, OOB, permit lists, etc.) Always use a dedicated VLAN ID for all trunk ports Be paranoid: do not use VLAN 1 for anything Set all user ports to non trunking Deploy port-security where possible for user ports Selectively use SNMP and treat community strings like root passwords Have a plan for the ARP security issues in your network

33 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Layer 2 Security Best Practices 2/2 Enable STP attack mitigation (BPDU Guard, Root Guard) Use private VLANs where appropriate to further divide L2 networks Disable all unused ports and put them in an unused VLAN Consider 802.1X for middle term All of the Preceding Features Are Dependant on Your Own Security Policy

34 © 2003, Cisco Systems, Inc. All rights reserved. Vyncke ethernet layer 2 security Final Word Switches were not designed for security Now, switches are designed with security in mind In most cases, with good configuration, they can even enhance your network security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.